I would like to get some help answering these questions What

I would like to get some help answering these questions.

What can an attacker do by exploiting both MS15-011 and MS15-14 vulnerabilities? How does the domain controller and domain-joined client get affected?

Solution

An attacker influences the vulnerability explained in MS15-014 to stop Group Policy settings from being practical, as well as SMB Signing which enables the client to confirm a valid DC is given that the Group Policy data.

The attacker effectively prevents legitimate Group Policy locations from being practical, so they relapse to default which disables SMB Signing.

This enables the attacker to go onto phase 2 trick the aim computer to join to an attacker machine in its place of a Domain Controller. This can be executed through several techniques, though ARP cache poisoning is the single Microsoft specifically calls out .

The object computer attains out to the Domain Controller when a client logs on to run the logon script: \\\\domain.com\\NETLOGON\\logon.bat

The object computer connects to the attacker’s hosted split in its place of the Domain Controller and runs the file given by the attacker’s system. Also the attacker arranges the same divides and files on the attacker system or employs a custom SMB server that reacts to any demand with files of the attacker’s choice.

The target computer runs the attacker’s file which performs code as the local client or as System. The attacker has currently performed code on the target system with no any obvious occurrence which would trigger an attentive.

MS15-011 & MS15-014 solidifies Group Policy, names out the coffee shop attack scenario where the client’s domain joined computer efforts to connect to a Domain Controller to perform a file. Since the attacker can reroute contact to a system of their selecting, the target computer can be broken leveraging both vulnerabilities.