Easily detect CVE-2024-21427 with Microsoft Defender for Identity

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Community Hub.

The recently published CVE-2024-21427 Windows Kerberos Security Feature Bypass Vulnerability fixed the potential bypass of authentication policies configured in Active Directory. We strongly recommend that you deploy the latest security updates, including the most recent patch, to your servers and devices to help ensure you have the latest protections available.


As with every vulnerability or attack surface disclosure, our research teams actively investigate possible exploits, working to patch potential issues and provide out-of-the-box detection methods. Before being made generally available, these detections undergo rigorous testing in our lab environments as well as experimental deployments to ensure they meet our performance and accuracy standards. Additionally in this instance, the Microsoft Defender for Identity team has added a new activity to the Advanced Hunting experience in the Defender portal which can help you spot potential attempts to exploit this vulnerability.  


Using the advanced hunting activity:

To help you better identify whether this vulnerability has been exploited in your environment and alert you to future attempts we added a new activity within Advanced Hunting that monitors Kerberos AS authentication. With this data customers can now easily create their own custom detection rules within Microsoft Defender XDR and automatically trigger alerts for this type of activity.


We recommend using the query below to monitor Kerberos AS authentication and use the following custom detection rule to trigger an alert:
Access Defender XDR portal -> Advanced Hunting -> Queries -> Community queries -> Kerberos AS authentication

Now, click on “Create detection rule” and fill in the details.
For example:Vuln screenshot ah.png




Vuln screenshot custom detect.png



The advanced hunting query:

IdentityLogonEvents | where Application == "Active Directory" | where Protocol == "Kerberos" | where LogonType in("Resource access", "Failed logon") | extend Error = AdditionalFields["Error"] | extend KerberosType = AdditionalFields['KerberosType'] | where KerberosType == "KerberosAs" | extend Spns = AdditionalFields["Spns"] | extend DestinationDC = AdditionalFields["TO.DEVICE"] | where Spns !contains "krbtgt" and Spns !contains "kadmin" | project Timestamp, ActionType, LogonType, AccountUpn, AccountSid, IPAddress, DeviceName, KerberosType, Spns, Error, DestinationDC, DestinationIPAddress, ReportId


An example of an alert triggered by this custom detection: 

triggered alert vuln.png

 For more information on this vulnerability please check back on the MSRC page and to stay on top of the latest Defender for Identity capabilities follow our What’s New documentation page.



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.