Have You Been Pwned by CVE-2014-6324/MS14-068?

In case you haven't heard, there is a critical [Windows implementation of] Kerberos bug that you need to be updating, right now.

More information on the vulnerability can be found here.

In the "Detection Guidance" section of the above blog post, you will see that you can detect if the vulnerability has been exploited on an unpatched machine by analyzing the Security event logs. Specifically, looking at Event ID 4624 logon events, and taking note that the "Security ID" and "Account Name" fields in that event description match.  If they don't, chances are high that you have been a victim of a privilege escalation attack.

I whipped up a detection script to check all the domain controllers:

#Requires -Module ActiveDirectory
Set-StrictMode -Version Latest
Get-Job | Remove-Job -Force
[String]$DomainName = $(Get-ADDomain).Name
$DCs = $(Get-ADDomain).ReplicaDirectoryServers

:NextDC Foreach ($DC In $DCs)
    Start-Job -ScriptBlock {
        [Int]$PotentialMS14068s = 0
        Write-Output "Fetching Security event log from $DC."
            $Events = Get-EventLog -LogName Security -InstanceId 4624 -ComputerName $DC -ErrorAction Stop
            Write-Error "An error occurred while reading event log from $DC.`r`n$($_.Exception.Message)"

        :NextEvent Foreach ($Event In $Events)
            $MessageLines  = $Event.Message -Split [Environment]::NewLine
            [String]$SecurityID    = [String]::Empty
            [String]$AccountName   = [String]::Empty
            [String]$AccountDomain = [String]::Empty

            # Server 2012 Format
            If ($MessageLines[13].Trim() -Like 'Security ID:*')
                $SecurityID    = ($MessageLines[13].Trim() -Split ':')[1].Trim()
                $AccountName   = ($MessageLines[14].Trim() -Split ':')[1].Trim()
                $AccountDomain = ($MessageLines[15].Trim() -Split ':')[1].Trim() 
            # Server 2008 R2 Format
            If ($MessageLines[11].Trim() -Like 'Security ID:*')
                $SecurityID    = ($MessageLines[11].Trim() -Split ':')[1].Trim()
                $AccountName   = ($MessageLines[12].Trim() -Split ':')[1].Trim()
                $AccountDomain = ($MessageLines[13].Trim() -Split ':')[1].Trim()

            If (($SecurityID -EQ [String]::Empty) -OR ($AccountName -EQ [String]::Empty) -OR ($AccountDomain -EQ [String]::Empty))
                Write-Error "Event log message format unrecognized on $DC!"
                $Event | Format-List
                Break NextEvent

            If ($AccountDomain -Like $DomainName -And $SecurityID -NotLike 'S-1-5-18')
                $SID = New-Object System.Security.Principal.SecurityIdentifier($SecurityID)
                $Username = $SID.Translate([System.Security.Principal.NTAccount])        
                If ($Username -Like '*\*')
                    $Username = ($Username -Split '\\')[-1]
                If ($Username -Like '*@*')
                    $Username = ($Username -Split '@')[0]
                If ($Username -NE $AccountName)
                    $Event | Format-List
        Write-Output "Finished with $DC. $PotentialMS14068s interesting events found."
    } -ArgumentList $DC

While ($(Get-Job -State Running).Count -GT 0)
    Get-Job -State Completed | Receive-Job   
    Start-Sleep -Seconds 10 

The script uses Powershell jobs to achieve some parallelism, because if you have more than one or two domain controllers in your environment, this quickly becomes a Herculean, time-consuming task.  The script will display potential security event log events that may indicate exploits currently being used in your environment.

Windows Server Technical Preview: Soft Reboot

Windows Server Technical Preview Desktop

Microsoft's technical preview of the next version of Windows Server has been out for a month or two now.  (Go download it, what are you waiting for?)  Is it Windows Server 10?  Server 2015?  I suppose they could try to get away from naming it altogether and just call it "Windows Server," to signify that they only plan on evolving the platform incrementally from now on, rather than using the traditional punctuated equilibrium of boxed product releases that we're used to... that's for Microsoft to know and for us to find out.


One of the fun things about public CTP releases is that the thorough documentation always comes last... so we download these tech previews, and we see all these new features, and a lot of them are not well documented, if they're documented at all.  And that makes them great blog fodder.  So let us begin a journey through these poorly-documented features, starting with a new feature called Soft Restart.

The promise of this simple feature is to allow server administrators to restart or reboot the Windows operating system on a physical computer, without having to wait through the long and annoying process of the machine's POST, initializing RAID controllers, out-of-band management devices, network adapters, etc.  On some physical server hardware, this process can take several minutes just to come back from a reboot.

However, on a virtual machine, this feature is not likely to save you much time, however, since the virtualized/synthetic/emulated devices on VMs don't typically have those long initialization procedures anyway.

You can install the Soft Restart feature via the GUI:

Soft Restart via GUI

Or by my preferred method, Powershell:

PS C:\> Install-WindowsFeature Soft-Restart -Restart

Installing the feature requires a reboot.

So, one thing you'll notice in the new Windows Server that we did not have before, is a new parameter - /soft - for the shutdown.exe program:

shutdown.exe soft restart

However, I find it interesting that this new parameter exists, and works, with or without the new Soft Restart feature actually being installed!

There is also a new Powershell equivalent: Restart-Computer -Soft. This also appears to work regardless of whether the Soft Restart feature is actually installed or not... but this may be because I only have the tech preview on virtual machines right now.  It could be a different story if I were playing on physical hardware.