Microsoft Defender Spoofing Vulnerability Allows Privilege Escalation and AD Access
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical spoofing vulnerability in Microsoft Defender for Identity (MDI) allows unauthenticated attackers to escalate privileges and gain unauthorized access to Active Directory environments.
The vulnerability, designated as CVE-2025-26685, exploits the Lateral Movement Paths (LMPs) feature in the MDI sensor, enabling attackers to capture authentication credentials and potentially compromise entire organizational networks.
Microsoft Defender Spoofing vulnerability
Security researchers at NetSPI stated that the vulnerability specifically targets the MDI sensor installed on Domain Controllers, which uses a Directory Service Account (DSA) to query systems for Local Administrators group members and map lateral movement paths within environments.
An unauthenticated attacker with local network access can initiate a connection to a Domain Controller that triggers the MDI sensor to authenticate and query the attacker’s system using the SAM-R protocol.
The attack process involves downgrading authentication from Kerberos to NTLM, resulting in the capture of the DSA’s Net-NTLM hash.
For successful exploitation, two critical conditions must be met: the attacker system must have an associated DNS record, which occurs automatically when Windows DHCP servers are used with Active Directory environments, and the attacker must initiate an anonymous connection, generating a specific Windows Event ID.
The exploitation can be triggered using simple commands such as rpcclient -U “” -N [DC-IP] on Linux systems or net use \\{DC IP}\ipc$ “” /user:”” on Windows systems.
These commands initiate SMB Anonymous Null Sessions that generate the required Windows Event ID, prompting the MDI sensor to authenticate to the attacker’s system and attempt LMP mapping.
Once the Net-NTLM hash is captured, attackers can pursue multiple escalation paths. The captured hash can be taken offline for password cracking using tools like Hashcat or combined with other vulnerabilities for immediate privilege escalation.
NetSPI demonstrated a particularly dangerous attack chain involving the ESC8 vulnerability in Active Directory Certificate Services (ADCS), where attackers can relay captured authentication data to certificate enrollment endpoints.
Using tools like Certipy with the command certipy relay -target ‘http://[ADCS-CA]’, attackers can request certificates in the DSA context, ultimately retrieving Ticket Granting Tickets (TGT) and NT hashes for the DSA account.
This attack path requires no initial authentication and can be executed entirely from the local network perimeter.
The compromised DSA account, while typically lower-privileged, grants attackers significant reconnaissance capabilities, including read privileges over all Active Directory objects and the ability to query Local Administrators groups across network systems when SAM-R is configured.
Mitigations
Organizations can implement several detection strategies to identify potential exploitation attempts.
Primary detection focuses on monitoring authentication events for the DSA account originating from non-Domain Controller IP addresses, as the DSA should only authenticate from Domain Controllers via the MDI sensor.
Additional detection opportunities include monitoring LDAP requests containing strings like (objectCategory=pKIEnrollmentService) and certificate issuance events using Windows Event ID 4887.
Microsoft’s primary remediation recommendation involves migrating to the unified XDR sensor (version 3.x), which was never vulnerable to this attack vector as it utilizes different detection methods.
The classic MDI sensor will be updated to replace SAM-R queries with WMI queries locked to Kerberos authentication.
Organizations can also configure DSA accounts as Group Managed Service Accounts (gMSA) to limit password cracking impact, or request complete disabling of the Lateral Movement Paths data collection feature through Microsoft support.
#Cyber_Security #Cyber_Security_News #Microsoft #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Microsoft Defender Spoofing Vulnerability Allows Privilege Escalation and AD Access
Author: Guru BaranA critical spoofing vulnerability in Microsoft Defender for Identity (MDI) allows unauthenticated attackers to escalate privileges and gain unauthorized access to Active Directory environments.
The vulnerability, designated as CVE-2025-26685, exploits the Lateral Movement Paths (LMPs) feature in the MDI sensor, enabling attackers to capture authentication credentials and potentially compromise entire organizational networks.
Microsoft Defender Spoofing vulnerability
Security researchers at NetSPI stated that the vulnerability specifically targets the MDI sensor installed on Domain Controllers, which uses a Directory Service Account (DSA) to query systems for Local Administrators group members and map lateral movement paths within environments.
An unauthenticated attacker with local network access can initiate a connection to a Domain Controller that triggers the MDI sensor to authenticate and query the attacker’s system using the SAM-R protocol.
The attack process involves downgrading authentication from Kerberos to NTLM, resulting in the capture of the DSA’s Net-NTLM hash.
For successful exploitation, two critical conditions must be met: the attacker system must have an associated DNS record, which occurs automatically when Windows DHCP servers are used with Active Directory environments, and the attacker must initiate an anonymous connection, generating a specific Windows Event ID.
The exploitation can be triggered using simple commands such as rpcclient -U “” -N [DC-IP] on Linux systems or net use \\{DC IP}\ipc$ “” /user:”” on Windows systems.
These commands initiate SMB Anonymous Null Sessions that generate the required Windows Event ID, prompting the MDI sensor to authenticate to the attacker’s system and attempt LMP mapping.
Once the Net-NTLM hash is captured, attackers can pursue multiple escalation paths. The captured hash can be taken offline for password cracking using tools like Hashcat or combined with other vulnerabilities for immediate privilege escalation.
NetSPI demonstrated a particularly dangerous attack chain involving the ESC8 vulnerability in Active Directory Certificate Services (ADCS), where attackers can relay captured authentication data to certificate enrollment endpoints.
Using tools like Certipy with the command certipy relay -target ‘http://[ADCS-CA]’, attackers can request certificates in the DSA context, ultimately retrieving Ticket Granting Tickets (TGT) and NT hashes for the DSA account.
This attack path requires no initial authentication and can be executed entirely from the local network perimeter.
The compromised DSA account, while typically lower-privileged, grants attackers significant reconnaissance capabilities, including read privileges over all Active Directory objects and the ability to query Local Administrators groups across network systems when SAM-R is configured.
Mitigations
Organizations can implement several detection strategies to identify potential exploitation attempts.
Primary detection focuses on monitoring authentication events for the DSA account originating from non-Domain Controller IP addresses, as the DSA should only authenticate from Domain Controllers via the MDI sensor.
Additional detection opportunities include monitoring LDAP requests containing strings like (objectCategory=pKIEnrollmentService) and certificate issuance events using Windows Event ID 4887.
Microsoft’s primary remediation recommendation involves migrating to the unified XDR sensor (version 3.x), which was never vulnerable to this attack vector as it utilizes different detection methods.
The classic MDI sensor will be updated to replace SAM-R queries with WMI queries locked to Kerberos authentication.
Organizations can also configure DSA accounts as Group Managed Service Accounts (gMSA) to limit password cracking impact, or request complete disabling of the Lateral Movement Paths data collection feature through Microsoft support.
#Cyber_Security #Cyber_Security_News #Microsoft #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
