It's been a long road but it's finally here. It's been great working on this with , I learned so much! Special thanks to for the original tool and putting up with me through development ;-) Say hello to Rubeus 2.0:
Charlie Clark’s Tweets
PSA: #log4j & windows domain exploitation via CVE-2021-42278
If you are a windows domain shop it is VERY IMPORTANT to make SURE you are patched with KB5008602!
IOCs
event log ids: 4673, 4741, 4742, & 4769
Mimikatz & Rubeus are used
Successful exploitation allows DA priv esc
5
75
150
Show this thread
Exploitation at it's current phase seems to be based on the research provided here:
5
24
Show this thread
I dont add Exploits to PowerSharppack but this exploit by , automated by deserves to be easily exploitable from memory via Powershell so here is a gist for it:
gist.github.com/S3cur3Th1sSh1t
Enjoy responsibly 👌
3
70
169
Exploiting CVE-2021-42278 and CVE-2021-42287. From Standard AD User to a Domain Admin! (default configuration)
github.com/WazeHell/sam-t
1
242
609
7
14
You should really give CVE-2021-42278 a closer look.
Easy Domain-Admin for everyone.
thehacker.recipes/ad/movement/ke
exploit.ph/cve-2021-42287
github.com/cube0x0/noPac
Thx for your outstanding work
Update your stuff - mitigations included
1
172
456
A short and sweet addition to my previous post describing a couple more uses for the samaccountname impersonation bug:
2
50
125
Scanner and automated exploitation of the CVE-2021-42287/CVE-2021-42278.
Yet another low effort domain user to domain admin exploit
github.com/cube0x0/noPac
6
442
1.1K
Show this thread
Still the best quick test is to request a PAC-less TGT but there may be situations where the renaming has still been patched
Show this thread
A little update, it may be possible that DC's aren't vulnerable to the full attack yet still return a PAC-less TGT, if they installed all the patches, including KB5008102, but see KB5008380 broke stuff, uninstalled it but didn't install KB5008602
1
Show this thread
[thread 🧵] lets all welcome the new kid in town 😈
✨ Kerberos sAMAccountName spoofing ✨ from regular user to domain admin, because Microsoft didn't care enough about it's $$$
thehacker.recipes/ad/movement/ke
11
250
589
Show this thread
I've added Log4Shell detection to ActiveScan++. Grab v1.0.23 from here:
6
308
947
Show this thread
So here are my 2 cents on 's CVE-2021-42287/CVE-2021-42278 Weaponization - a quick & dirty way to exploit it with Python and #impacket remotely. The renameMachine[.]py script is based on rbcd[.]py example by : gist.github.com/snovvcrash/3bf
4
106
256
Show this thread
Please make sure you have installed patches for CVE-2021-42287 / CVE-2021-42278. Exploitation itself is trivial and since ms-DS-MachineAccountQuota is 10 by default that means you are likely to get into big trouble 🔥!
Excellent work by &
GIF
7
35
I also modded StandIn to do the samAccountName change, will push that next week ❤️
GIF
2
6
It's worth noting that because you can create machine accounts across trusts by default, it breaks the trust security boundary:
1
9
35
Show this thread
So with some help from I found a way to weaponise CVE-2021-42287/CVE-2021-42278 and more help from we put some detections together:
7
225
370
Show this thread
Relaying Kerberos only using native Windows is so🔥
As a normal user we can trigger a Kerberos authentication for SYSTEM that we can relay to services such as LDAP to read LAPS or configure rbcd.
Privesc/Lateral movement in any network without enforced signing, which is default😉
28
578
1.6K
Show this thread