ZeroLogon detected by the Microsoft Defender suite

The Attack

Microsoft Defender for Identity

Microsoft Defender for Endpoint

Threat and Vulnerability Management

Threat Detection

Microsoft 365 Defender

Incidents

Hunting

// Find all Netlogon exploit attempt alerts containing source devices
let queryWindow = 3d;
AlertInfo
| where Timestamp > ago(queryWindow)
| where ServiceSource == “Azure ATP”
| where Title == “Suspected Netlogon privilege elevation attempt (CVE-2020–1472 exploitation)”
| join (AlertEvidence
| where Timestamp > ago(queryWindow)
| where EntityType == “Machine”
| where EvidenceDirection == “Source”
| where isnotempty(DeviceId)
) on AlertId
| summarize by AlertId, DeviceId, Timestamp

// Find potential endpoint Netlogon exploit evidence from AlertId
let NLAlertId = “aa6cef45fd-f3e9–4823–9753–60e14d844439”;
let lookAhead = 1m;
let lookBehind = 60m;
let NLEvidence = AlertEvidence
| where AlertId == NLAlertId
| where EntityType == “Machine”
| where EvidenceDirection == “Source”
| where isnotempty(DeviceId)
| summarize Timestamp=arg_min(Timestamp, *) by DeviceId;
let sourceMachine = NLEvidence | distinct DeviceId;
let alertTime = todatetime(toscalar(NLEvidence | distinct Timestamp));
DeviceNetworkEvents
| where Timestamp between ((alertTime — lookBehind) .. (alertTime + lookAhead))
| where DeviceId in (sourceMachine)
| where RemotePort == 135 or RemotePort between (49670 .. 49680)
| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl
| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl

Summary

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store