The recently published CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability fixed the potential bypass of authentication policies configured in Active Directory. We strongly recommend that you deploy the latest security updates, including the most recent patch, to your servers and devices to help ensure you have the latest protections available.
As with every vulnerability or attack surface disclosure, our research teams actively investigate possible exploits, working to patch potential issues and provide out-of-the-box detection methods. Before being made generally available, these detections undergo rigorous testing in our lab environments as well as experimental deployments to ensure they meet our performance and accuracy standards. Additionally in this instance, the Microsoft Defender for Identity team has added a new activity to the Advanced Hunting experience in the Defender portal which can help you spot potential attempts to exploit this vulnerability.
Using the advanced hunting activity:
To help you better identify whether this vulnerability has been exploited in your environment and alert you to future attempts we added a new activity within Advanced Hunting that monitors Kerberos AS authentication. With this data customers can now easily create their own custom detection rules within Microsoft Defender XDR and automatically trigger alerts for this type of activity.
We recommend using the query below to monitor Kerberos AS authentication and use the following custom detection rule to trigger an alert:
Access Defender XDR portal -> Advanced Hunting -> Queries -> Community queries -> Kerberos AS authentication
Now, click on “Create detection rule” and fill in the details.
For example:
The advanced hunting query:
IdentityLogonEvents
| where Application == "Active Directory"
| where Protocol == "Kerberos"
| where LogonType in("Resource access", "Failed logon")
| extend Error = AdditionalFields["Error"]
| extend KerberosType = AdditionalFields['KerberosType']
| where KerberosType == "KerberosAs"
| extend Spns = AdditionalFields["Spns"]
| extend DestinationDC = AdditionalFields["TO.DEVICE"]
| where Spns !contains "krbtgt" and Spns !contains "kadmin"
| project Timestamp, ActionType, LogonType, AccountUpn, AccountSid, IPAddress, DeviceName, KerberosType, Spns, Error, DestinationDC, DestinationIPAddress, ReportId
An example of an alert triggered by this custom detection:
For more information on this vulnerability please check back on the MSRC page and to stay on top of the latest Defender for Identity capabilities follow our What’s New documentation page.