Detecting CVE-2022-30216: Windows Server Service Tampering

In July 2022, Microsoft disclosed a vulnerability in the Windows Server Service that allows an authenticated user to remotely access a local API call on a domain controller, which triggers an NTLM request. This results in a leak of credentials that allows an attacker to authenticate to Active Directory Certification Services (ADCS) and to generate a client certificate that enables remote code execution on a domain controller. Through Microsoft’s MAPP program, Corelight Labs reviewed a proof of concept exploit for this vulnerability and wrote a Zeek®-based detection for it and released the package on GitHub.

The PoC exploits a bug in the Windows Server Service that allows remote access to a local Windows Server Service operation, LocalServerCertificateMappingModify (opnum 74), which allows an attacker to modify certificate mappings on the domain controller. The attacker can trigger the DC$ account to make an NTLM authentication request to an arbitrary machine by updating a mapping to reference a certificate store located on that machine. The attacker’s machine can steal the NTLM credentials and use them to authenticate to ADCS, similarly to PetitPotam. Then, the attacker can exfiltrate a client certificate for the DC$ account from the ADCS. This client certificate can be used to request a Kerberos ticket that enables authentication to the domain controller on the DC$ account. The figure below shows a diagram of the attack. Solid lines represent actions involved in the exploitation and dotted lines indicate potential post-exploitation steps.

Here’s what successful exploitation looks like in Wireshark:

In the pcap, “192.168.56.104” is the attacker’s Windows 10 machine, “192.168.56.105” is the attacker’s Linux machine running xntlmrelay.py, “192.168.56.102” is a Windows Server 2022 domain controller, and “192.168.56.103” is a Windows Server 2022 machine running Active Directory Certification Server with the Certification Authority Web Enrollment role installed. The attack begins with a DCE call from the attacker’s Windows machine to the domain controller using srvsvc operation number 74 (LocalServerCertificateMappingModify). The PoC payload uses the call to insert a reference to a certificate store hosted on the attacker’s Linux machine. This causes the domain controller to authenticate to the attacker’s Linux machine using NTLM, then the attacker’s Linux machine authenticates to the Certification Server over HTTP by relaying the stolen NTLM hash, and downloads a client certificate for the DC$ user, which can be used to authenticate to the domain controller.

You can find our CVE-2022-30216 detection code at the following link: https://github.com/corelight/CVE-2022-30216. Our detection of attempts consists of a simple Zeek script to detect DCE requests that use srvsvc opnum 74. Our detection of successful exploitation looks for DCE responses that use the payload. The detection then uses a regular expression to determine the relay’s IP address. Retrospective exploitation is detectable in Zeek through the dce_rpc.log log simply by looking for entries where the endpoint is srvsvc and the operation is unknown-74 as shown in the record below. Note that only successful exploitation will appear in dce_rpc.log.

{

  "ts": 1657834737.55603,

  "uid": "CNCqvYMtTGorGhKt",

  "id.orig_h": "192.168.56.104",

  "id.orig_p": 53084,

  "id.resp_h": "192.168.56.102",

  "id.resp_p": 445,

  "rtt": 0.09642386436462402,

  "named_pipe": "\\PIPE\\srvsvc",

  "endpoint": "srvsvc",

  "operation": "unknown-74"

}

An example Zeek notice.log generated by our script after a successful exploit is shown below:

{

  "ts": 1657834737.55603,

  "uid": "CNCqvYMtTGorGhKt",

  "id.orig_h": "192.168.56.104",

  "id.orig_p": 53084,

  "id.resp_h": "192.168.56.102",

  "id.resp_p": 445,

  "proto": "tcp",

  "note": "CVE_2022_30216_Detection::ExploitSuccess",

  "msg": "Successful CVE-2022-30216 exploit: 192.168.56.104 exploited 192.168.56.102 relaying to 192.168.56.105",

  "src": "192.168.56.104",

  "dst": "192.168.56.102",

  "p": 445,

  "actions": [

    "Notice::ACTION_LOG"

  ],

  "email_dest": [],

  "suppress_for": 3600

}

By focusing on quality data first, Zeek generates logs that can retroactively be used to detect exploitation attempts of CVE-2022-30216. This happens to be another case where simply by using Corelight or Zeek, you can rest easy knowing that traces of this attack can already be found in your network data. For those seeking more detail, our open source detection package goes one step further—detecting both attempted and successful exploits—to further improve your security posture. Happy hunting!

By Corelight Labs Team