This article describes how to use FortiDeceptor and Deception Tokens to detect activities related to the new Active Directory Privilege Escalation attack, CVE-2021-42287, and CVE-2021-42278.

This escalation attack allows attackers to easily elevate their privilege to a Domain Admin once they compromise a regular user in the domain.

As reported by Microsoft - during the November security update cycle, a patch was released for vulnerabilities CVE-2021-42287 and CVE-2021-42278. Both vulnerabilities are described as a 'Windows Active Directory domain service privilege escalation vulnerability. When combining 42287 and 42278, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn't applied these new updates.

This escalation attack allows attackers to easily elevate their privilege to a Domain Admin once they compromise a regular user in the domain.

On December 12, 2021, a proof-of-concept tool leveraging these vulnerabilities was publicly disclosed.

Cyber Deception Against Active Directory Privilege Escalation attack:

1) FortiDeceptor starts by deploying network decoys across the network segments that create a fake environment that simulates the real network and assets.

The 'Active Directory Privilege Escalation attack' exploit looks to attack Windows systems, leverage the compromised user or other extract credentials that exist on the compromised endpoint.

2) In addition, the FortiDeceptor customization module generates a decoy template from the customer gold image and deploys it across the network and in the customer data center.

The ability to deploy a Decoy that runs the customer gold image and part of the customer domain network will expand the attack surface.

3) FortiDeceptor generates and deploys Deception tokens like fake credentials (cache cred, RDP, SSH) across every endpoint/server in your network based on the network decoys deployment.

4) An attacker would need to access the internal network by compromising an internal endpoint and leveraging the compromised endpoint access and credentials to exploit this vulnerability.

The idea behind using Deception tokens is to expand the attack surface and reduce the Dwell time.

5) Deception lures will detect the threat actor early in the kill chain. Before trying to attack the windows system, run the Windows Print Spooler service by placing the following Deception Lures on the network endpoint that the threat actor will use to attack the windows systems (endpoints & servers).

The Deception lure to deploy are:

- SMB Deception Token will generate a fake network drive with fake files. This network drive will deceive the threat actor using windows commands like 'NET.' This malicious engagement will trigger alerts and mitigation responses to isolate the malicious endpoint from the network.

- Cache Credentials Deception Token will deploy fake user & passwords to the endpoint & Server.

This fake user & password will deceive the threat actor using tools like mimikatz and use the fake credentials to move laterally and engage with a network Decoy.

This malicious engagement will trigger alerts and mitigation responses to isolate the malicious endpoint from the network.

- RDP Deception Token will deploy fake windows RDP Credentials in the windows Credentials manager. This fake user & password will deceive the threat actor while using MIMIKATZ and RDP clients to move laterally and engage with a network Decoy that runs the Windows Print Spooler service. This malicious engagement will trigger alerts and mitigation responses to isolate the malicious endpoint from the network.

6) The FortiDeceptor tool that creates and manages this fake network can be fully integrated into your third-party security tools, such as the Firewall, Network Access Control, and Next-Gen AV so that malicious activity can be identified and mitigated.

7) Once the threat actor compromises an endpoint and starts to use a compromised user that gets dumped by hacking tools like mimikatz, the fake credentials will deceive the attacker into engaging with a decoy (fake Server) that will detect this malicious network activity and use one of the existing security tools to automatically isolate the infected endpoint, protecting the rest of the network.

The network decoys & deception tokens can be used in FortiDeceptor V.3.3 and above.

FortiDeceptor is Part of the Fortinet Security Fabric.

FortiDeceptor is natively integrated with FortiGate, FortiNAC, FortiEDR,  FortiSIEM, FortiSOAR, FortiAnalyzer, and other third-party solutions to automate the mitigation response based on attack detection.

For example, the video below shows FortiDeceptor leveraging FortiNAC to automatically isolate an infected machine device that has been targeted by ransomware malware.

https://www.youtube.com/watch?v=SfiEL7-F5Mo&t=154s