Active Directory - Privilege Escalation Attack Mitigation
Summary
The script is designed to verify the installation of all necessary patches to mitigate and detect Active Directory privilege escalation attacks. Additionally, it searches for computer accounts with non-compliant sAMAccountName values and ensures the presence of the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Kdc/PacRequestorEnforcement registry key with a value of 1.
Intended Target: Domain Controllers
Time Saved by Automation: 30 Minutes.
Sample Run
Dependencies
Workaround - Active Directory privilege escalation attack [SCRIPT]
Variables
@Output@: Stores the PowerShell result of the script verifying the installation of the relevant patches.@Missing_Patches@: KBID of the superseded patches that need to be installed on the concerned computer.@ncsam@: Stores the names of the computer accounts with non-compliantsAMAccountName.
Process
Step 1: The script checks for the installation of the patches needed to stop/restrict Active Directory privilege escalation attacks. As superseded versions of each patch are released, the script may need updates to account for these changes. Currently, it looks for the following patches, with one patch from each line required for the concerned Operating System:
- KB5008263, KB5007247: Server 2012 R2
- KB5008277, KB5007260: Server 2012
- KB5008244, KB5007236: Server 2008 R2
- KB5008274, KB5007263: Server 2008
- KB5008207, KB5008601, KB5007192: Server 2016
- KB5008218, KB5008602, KB5007206: Server 2019
- KB5007255: Server 2012 R2
- KB5007245: Server 2012
- KB5007233: Server 2008 R2
- KB5007246: Server 2008
Step 2: It will add the KBID of the compulsory and missing updates to the "Missing Patches" EDF of the concerned computer.
Step 3: The script will check the status of the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Kdc/PacRequestorEnforcement registry key and will add/update the registry key if the value is not already set to 1 or 2.
Step 4: Finally, it will check for potentially vulnerable computer accounts and update those names in the EDFs.
The script will save information to the following EDFs based on the output of the script:
- KB5008602 Status
- KB5008380 Status
- KB5008102 Status
- Missing Patches
- CVE-2021-42287 Workaround
- Non-compliant sAMAccountName
- Non-compliant UAC sAMAccountType
- Information Update Time
These EDFs are also presented in the dataview Workaround - Active Directory privilege escalation attack [SCRIPT].
Output
- Extra Data Fields
- Dataview