Microsoft Defender for Identity to Detect Windows Bronze Bit Cyberattacks

Microsoft Defender for Identity to Detect Windows Bronze Bit Cyberattacks

Microsoft is currently trying to add Bronze Bit attacks detection support to Microsoft Defender for Identity, making it more straightforward for Security Operations teams to see efforts to exploit the Windows Kerberos security bypass vulnerability – CVE-2020-17049.

Microsoft Defender for Identity (formerly known as Azure ATP or Azure Advanced Threat Protection) is a cloud-based security solution that uses Active Directory signals on-premises.

SecOps teams may use it to identify and analyze compromised advanced threats, identities, and hostile insider behavior that targets enrolled companies.

On Microsoft 365 roadmap, Microsoft explains that an alert will get raised when there is evidence of suspicious Kerberos delegation attempts employing the BronzeBit technique, where a user has attempted to delegate access to a specific resource via a ticket.

The issue (patched by Microsoft during November 2020’s Patch Tuesday) may be used in Kerberos Bronze Bit attacks, according to Jake Karnes, the security expert who identified it.

The Bronze Bit vulnerability was resolved in a two-part staged rollout, with the initial deployment phase beginning on December 8 and the automated enforcement phase starting on February 9.

Karnes provided a proof-of-concept (PoC) attack code and complete details on how it might be exploited, a month after Microsoft announced the CVE-2020-17049 fixes.

Bypassing Kerberos delegation protection, the vulnerability allows attackers to escalate privileges, imitate targeted users, and move laterally within hacked systems.

He has provided a low-level overview of the Kerberos protocol, as well as practical exploit scenarios and information on how to construct and use Kerberos Bronze Bit attacks against susceptible servers.

The revelation of all of these new data, as well as the proof-of-concept exploit, made it much simpler to compromise Windows servers that were not patched against CVE-2020-17049, which is likely what led Redmond to add Bronze Bit detection capabilities to Microsoft Defender for Identity.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.