September 24, 2020

Threat Flash Alert: Critical Microsoft Domain Controller Vulnerability “Zerologon”

Peter Bybee

23 September 2020 – Updated 20 October 2020

October 20th Update

Since our September 23rd Threat Flash Alert, we have seen credible intelligence linking this vulnerability to multiple, active attack campaigns used by advanced threat organizations. In one case study we viewed, the threat actor group exploited the vulnerability and expanded from initial access to full domain-wide ransomware in only 5 hours. We strongly advise that you follow the instructions given by Microsoft, also provided in this document, to ensure that any potentially vulnerable domain controllers are patched. The best way to stop a breach that can deploy in just a few hours is to prevent the bad actors from ever gaining a foothold. For more details on this vulnerability, see below.

Zerologon Alert Summary

A critical vulnerability (CVE-2020-1472) in the Netlogon protocol in Windows Server was discovered by Secura researchers in August. Since the disclosure, at least four proof-of-concept exploits were made public and are active in the wild. However, while exploitation can be done by an unauthenticated attacker, it does require local access to a domain controller.

The vulnerability is an elevation of privilege and exists when an attacker establishes a Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. They would be required to use MS-NRPC to connect to a domain controller in order to obtain domain administrator access. The National Vulnerability Database has scored this a critical 10 vulnerability.

Details

Originally, Microsoft released a security update on August 11^th that included a patch for this vulnerability, dubbed ‘Zerologon’. They released no technical details with the patch update, which allowed the vulnerability to slip under the radar of most organizations. The vulnerability was later assigned a maximum CVSS score of 10 and it was determined that it was a very serious active directory vulnerability that could potentially allow an unauthenticated attacker with network access to a domain controller the ability to establish a Netlogon session and gain domain administrator priveleges with no additional information. The only requirement for exploitation is the ability to establish a connection with the domain controller.

On September 14^th, the Cybersecurity and Infrastructure Security Agency (CISA) published an alert that indicated that active exploit code was publicly available for this vulnerability. Soon after, this vulnerability was added to several offensive security tools such as Mimikatz, which allows widespread and easy to use exploitation.

Recommendations

A patch was initially released by Windows on August 11^th, any unpatched Domain Controllers should be patched immediately. If that is not possible, several Microsoft event IDs should be monitored, specifically IDs 5827-5831, and there are several mitigations that currently exist if patching is not possible. A way to test for potential exploitability is using a testing tool that has been published on github.

SOD Actions

At Security On-Demand we are actively monitoring for any indication of this vulnerability being exploited. Several snort rules now exist, including custom rules for the mimikatz version of the exploit. We are able to monitor any new snort rules through our current alerting platform with no changes.

Alerts are in testing that would trigger on server event logging where the listed windows event ID’s are triggered. We then monitor events around that traffic to determine if exploitation attempts are being made in your environment.

Security On-Demand has also updated all Domain Controllers in our environment to ensure we are not vulnerable and are not putting your data at risk.