Windows Kerberos bug: How to detect signs of exploitation before the update?

Microsoft has shared more details about the critical elevation of privilege bug found in Microsoft Windows Kerberos Key Distribution Center (CVE-2014-6324) which is being exploited in “limited, targeted attacks” in the wild, and has once again urged admins and users to apply the issued patch.

The vulnerability is remotely and easily exploitable, and allows remote elevation of privilege in domains running Windows domain controllers. An attacker in possession of the credentials of any domain user can elevate their privileges to that of any other account on the domain (including domain administrator accounts).

After explaining how Kerberos works, they pointed out that currently only domain controllers running on Windows Server 2008R2 and below are under attack, and that they should be the first one to get updated.

The next ones are domain controllers running 2012 and above because they are vulnerable to a related attack that’s more difficult to execute, and then, finally, all other systems running any version of Windows.

These updates are the only way to plug this hole, as there are no workarounds available.

“Companies currently collecting event logs from their domain controllers may be able to detect signs of exploitation pre-update,” they shared, but warned that this logging will only catch known exploits: “There are known methods to write exploits that will bypass this logging.”

There are also ways to detect active attacks aimed at exploiting this vulnerability (more details available here).

“The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain,” they added. “An attacker with administrative privilege on a domain controller can make a nearly unbounded number of changes to the system that can allow the attacker to persist their access long after the update has been installed.”

Don't miss