Microsoft is currently trying to add Bronze Bit attacks detection support to Microsoft Defender for Identity, making it more straightforward for Security Operations teams to see efforts to exploit the Windows Kerberos security bypass vulnerability – CVE-2020-17049.
Microsoft Defender for Identity (formerly known as Azure ATP or Azure Advanced Threat Protection) is a cloud-based security solution that uses Active Directory signals on-premises.
SecOps teams may use it to identify and analyze compromised advanced threats, identities, and hostile insider behavior that targets enrolled companies.
On Microsoft 365 roadmap, Microsoft explains that an alert will get raised when there is evidence of suspicious Kerberos delegation attempts employing the BronzeBit technique, where a user has attempted to delegate access to a specific resource via a ticket.
The issue (patched by Microsoft during November 2020’s Patch Tuesday) may be used in Kerberos Bronze Bit attacks, according to Jake Karnes, the security expert who identified it.
The Bronze Bit vulnerability was resolved in a two-part staged rollout, with the initial deployment phase beginning on December 8 and the automated enforcement phase starting on February 9.
Karnes provided a proof-of-concept (PoC) attack code and complete details on how it might be exploited, a month after Microsoft announced the CVE-2020-17049 fixes.
Bypassing Kerberos delegation protection, the vulnerability allows attackers to escalate privileges, imitate targeted users, and move laterally within hacked systems.
He has provided a low-level overview of the Kerberos protocol, as well as practical exploit scenarios and information on how to construct and use Kerberos Bronze Bit attacks against susceptible servers.
The revelation of all of these new data, as well as the proof-of-concept exploit, made it much simpler to compromise Windows servers that were not patched against CVE-2020-17049, which is likely what led Redmond to add Bronze Bit detection capabilities to Microsoft Defender for Identity.
