Shulou(Shulou.com)05/31 Report--

This article introduces you to the ZeroLogo vulnerability CVE-2020-1472 defensive guide is how, the content is very detailed, interested partners can refer to, I hope to help you.

About Zerologon (CVE-2020-1472)

On September 11, 2020, security research expert Tom Tomvort published a security blog post revealing details about Zerologon vulnerabilities. Subsequently, Microsoft also released a fix for CVE-2020-1472 vulnerability on Patch Day in August. According to the researchers, security issues in Netlogon's encryption implementation allow attackers to hijack server devices in enterprise environments by exploiting the vulnerability. The vulnerability would allow an attacker to set passwords to computer accounts in Active Directory domain controllers and export credential data from domain controllers. Many researchers have analyzed the principle and technology of this vulnerability. This article will mainly introduce the security defense related to Zerologon attack.

execution attacks

Although there are many exploitation tools available in the community for Zerologon, I chose to use the latest version of Mimikatz. First, let's test whether our own systems are affected by this vulnerability:

Next, execute the exploit code:

At this point, we will be able to perform a DCSync attack and export sensitive data from the target domain controller. It is important to note that this attack will compromise the functional integrity of the domain controller, so be careful.

Vulnerability & Attack Detection Event Code 5805

Here, event 5805 is generated when the Zerologon attack is executed and the logs are stored in the Windows host's system log channel. We can find this type of activity log by Splunk query:

index=winlogs EventCode=5805| table body,Name,dest

The results were as follows:

Although in the example above, the computer name is set to mimikatz, which causes NETLOGON to fail domain controller validation, here we modify it to "Server2."

Event code 4624+4742

Event codes 4624 and 4742 are also triggered when exploit code is executed. Here I used EVTX samples to perform the following query:

index= [evtx_location] EventCode=4624 OR EventCode=4742Account_Name="ANONYMOUS LOGON"| table name,MSADChangedAttributes,Source_Network_Address,Account_Name

The results were as follows:

We can see that the password for the domain controller computer account has been changed and that a successful anonymous login has been recorded.

Sysmon Event ID 3

Another detection technique for Zerologon attacks utilizes Sysmon NetworkConnect events and their powerful Rule statements. When a Zerologon event occurs, the network connection of the attacking device will be passed into the LSASS process of the target domain controller, and we can monitor this type of activity with the following Sysmon configuration code:

lsass.exe false

Splunk query statements are as follows:

index=sysmon RuleName="Incoming LSASS NetworkConnect"| table Protocol,Initiated,SourceIp,DestinationIp

The results were as follows:

We can see that host 192.168.1.43 is our attacker device, which establishes a network connection to the LSASS process of 192.168.1.156 (target domain controller).

Moloch grab bag

In addition to host-level monitoring, we can also detect Zerologon attacks by grabbing packets. Here I chose to use the Moloch package capture tool, and this detection logic can be extended to other PCAP systems as well. If we analyze the PCAP in the attack activity, we can see that the data fields of the client credentials are all set to 0:

We can use the Hunt function in Moloch to find hexadecimal bytes in our PCAP data, where RPC protocol traffic can be viewed with the query "protocols == dcerpc":

Filter out our "0000000000000 ffff2f21220000c0" bytes, and then execute Hunt, we can see that there are seven sessions matching our Hunt logic:

We can open Hunt to view the data, which will show a lot of metadata and session tags, including Hunt name and Hunt ID, and network activity for Zerologon attacks:

Zerologon vulnerability should be of high concern to administrators and any affected systems should be patched as soon as possible. However, since patches are not always feasible, this article aims to provide some guidelines for detecting this critical vulnerability using native Windows logs, Sysmon, and PCAP.

About ZeroLogo vulnerability CVE-2020-1472 defensive guide is how to share here, I hope the above content can be of some help to everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.