Detecting the Zerologon Vulnerability in LogPoint

2020-09-23 - Admin Sysware

Microsoft released a security advisory for CVE-2020-1472, with a CVSS score of 10, a critical privilege escalation flaw when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). What makes this flaw critical is that an unauthenticated adversary uses MS-NRPC to connect to a domain controller for obtaining Domain Admin access to exploit a vulnerability.

Secura, whose researcher discovered the vulnerability, released a blog that outlines the technical details of the flaw. The researcher stated that “the vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol, which among other things, can be used to update computer passwords. This flaw allows attackers to impersonate any computer, including the domain controller itself, and execute remote procedure calls on their behalf.”

On September 14, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) acknowledged the Zerologon vulnerability’s severity and issued a security advisory encouraging users and administrators to apply the necessary updates.

Several proof-of-concept (PoC) codes have been released in Github, giving attackers full access to companies’ domain controllers (DCs). Also, the new Mimikatz release detects and exploits the Zerologon vulnerability.

Furthermore, Microsoft released another advisory that details how to manage the changes in the Netlogon secure channel connections associated with CVE-2020-1472 after the patch installation.

Detecting the Zerologon vulnerability

To detect the abuse of the Zerologon vulnerability, look for the event ID 4742. To be specific, hunt for ANONYMOUS LOGON users, and SID in the event ID 4742 with the Password Last Set field changed.

More details :

Back to all news