There has been a huge focus on the recently patched CVE-2 020 -1 472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and machines, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity along with other Microsoft 365 Defender answers see adversaries as they try to exploit this vulnerability against your domain controllers.

Here is a sneak peek into our detecting lifecycle

Whenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and create various methods for detecting assaults. This is highlighted in our response to supposed WannaCry attacks and with the alerting for Suspected SMB( Small and Medium Businesses) packet manipulation( CVE-2 020 -0 796 exploitation ). These detection methods are tested under our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.

Over the past two months since CVE-2 020 -1 472 was first disclosed, interest in this detection rapidly increased. This happened even though they are we did not find any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.

This lack of activity altered on September 13, when we triggered a surge in alertings. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.

Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020

Figure 1: Orgs with ZeroLogon exploitation strives by red squads and real attackers starting September 13, 2020

Microsoft Defender for Identity can detect this vulnerability earlier today. It encompasses both the aspects of exploitation and traffic inspection of the Netlogon channel.

Alert page experience

Figure 2: Alert page experience

With this Microsoft Defender for Identity alert, you will be able to identify 😛 TAGEND

The machine that attempted the impersonation. The domain controller. The targeted asset. Whether the impersonation attempts were useful.

Finally, clients using Microsoft 365 Defender can take full advantage of the power of the signals and alertings from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint . This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to understand device process and file activity are connected with the exploitation.

A close look at some of the earliest ZeroLogon attacks

ZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal strike scenario, it will require an initial enter vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, Microsoft Threat Experts find ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the program activities was has been derived from red squads or pen testers utilizing automated vulnerability scanners to situate vulnerable servers. Nonetheless, Microsoft researchers were also able to identify a few restriction cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.

Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale

Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a ruby-red squad testing domain controller at scale

One of the antagonists noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint( CVE-2 019 -0 604) to exploit remotely unpatched servers( typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker rapidly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers observed with the ZeroLogon exploit.

Using the @MsftSecIntel Twitter handle, we publicly shared some file indicators used during the attack. We also shared the deviations of the ZeroLogon exploits we saw, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2 020 -1 472 exploit when executed on devices is covered by Microsoft Defender for Endpoints.


Hunting for ZeroLogon in Microsoft 365 Defender

Combining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert promptly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alertings and events employing a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT& CK framework, and machine learning models.

In this section, we offer an example( in the simplified shape of an advanced hunting query) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Functioning Centers( SOC) fatigue and facilitating investigation.

The following Microsoft 365 Defender advanced hunting queries identify process and network connect details from the source device suspected to have launched the NetLogon exploit.


First, we glean the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.

// Find all Netlogon exploit endeavor alarms containing source machines let queryWindow= 3d; AlertInfo | where Timestamp> ago( queryWindow) | where ServiceSource == “Azure ATP” | where Title == “Suspected Netlogon privilege elevation attempt( CVE-2 020 -1 472 exploitation) ” | join( AlertEvidence | where Timestamp> ago( queryWindow) | where EntityType == “Machine” | where EvidenceDirection == “Source” | where isnotempty( DeviceId)) on AlertId | summarize by AlertId, DeviceId, Timestamp

Next, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller 😛 TAGEND

// Find potential endpoint Netlogon exploit indication from AlertId let NLAlertId= “insert alarm ID here”; let lookAhead= 1m; let lookBehind= 6m; let NLEvidence= AlertEvidence | where AlertId == NLAlertId | where EntityType == “Machine” | where EvidenceDirection == “Source” | where isnotempty( DeviceId) | summarize Timestamp= arg_min( Timestamp, *) by DeviceId; let sourceMachine= NLEvidence | distinct DeviceId; let alertTime= todatetime( toscalar( ZLEvidence | distinct Timestamp )); DeviceNetworkEvents | where Timestamp between (( alertTime – lookBehind) ..( alertTime+ lookAhead )) | where DeviceId in( sourceMachine) | where RemotePort == 135 or RemotePort between( 49670 .. 49680) | summarize( Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid )= arg_min( ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid ), TargetDevicePorts= make_set( RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl | project-rename SourceComputerName =D eviceName, SourceDeviceId =D eviceId, TargetDeviceIP= RemoteIP, TargetComputerName= RemoteUrl

This query can return a result that looks like this 😛 TAGEND

Tying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer painting as to what the hell happened on the machine suspected of launching the exploit. This could save SOC analysts hour when investigating alarms, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.

Defend against ZeroLogon

Learn more about the alert here, along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.

Also, feel free to review our guidanceon overseeing changes in Netlogon secure channel connections and how you can prevent this vulnerability

Customers with Microsoft Defender for Endpoint can get additional guidance from the threat analytics articleavailable in Microsoft Defender Security Center.

Get started today

Are you just beginning your Microsoft Defender for Identity journey? Begin a trial of Microsoft 365 Defender to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.

Join the Microsoft Defender for Identity Tech Communityfor the latest updates and news about Identity Security Posture Management evaluations, detections, and other updates.

To learn more about Microsoft Security answers visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zerologon is now detected by Microsoft Defender for Identity seemed first on Microsoft Security .

Read more: