Hunting zerologon exploit CVE-2020-1472 With ELK | Splunk

on


Zero Logon at a glance :

security expert Tom Tervoort from sekura Team discovered a  (CVSS score: 10.0) vulnerability in the  Netlogon Remote Protocol  [MS-NRPC]. By forging an authentication token for specific Netlogon functionality, he was able to call a function to set the computer password of the Domain Controller to a known value,
After that, the attacker can use this new password to take control over the domain controller and steal credentials to  become domain admin .

- The Zerologon name comes from the way the cryptographic flaw works, by adding zeros to certain parameters in Netlogon. & attacker just needs to be on the network .

- Detailed info can be found here .


- Attack can be done via various means like :

  • testing vulnerable machines with zerologon_tester.py here
  • VoidSec  cve-2020-1472-exploit.py here
  • MimiKatz module lsadump
- Techniques: Exploitation of Remote Services (T1210)

Hunting (Detection):

From System logs : 
Event ID 5805  is generated when the Zerologon attack is performed.  with the following message "The session setup from the computer Client-XXXXX(Attacker host) failed to authenticate. The following error occurred:Access is denied."

      - Splunk Query : "(source="WinEventLog:System" EventCode="5805" ) | table                                         message,ComputerName"



-From Security Logs : 

  1. Event code 4624 &  event code of 4724 , audit computer account management should be enabled on the system .
  2. Logon Type : 3 (Network Logon) 

    - 4742 : Computer Change  "A computer account was changed" and logon requested from ”ANONYMOUS LOGON” 


    - 4624 : An account was successfully logged on 
    


-Splunk :




Mitigation :
  • -Microsoft released the Zerologon security update in August 2020 here 
    • after deploying the update : new option is given to enable Domain Controller                         enforcement mode .
    • new event ids are enabled once the August 2020 patch is installed on a Domain Controller:
      1. Log event IDs 5827 and 5828 in the System event log, if connections are denied.
      2. Log event IDs 5830 and 5831 in the System event log, if connections are allowed
      3. Log event IDs 5829 logs whenever a vulnerable Netlogon secure channel connection is allowed
    • confirming that  all devices are compliant and will not break as a result of enabling enforcement mode.
    • note :  the patch to be released February 9th, 2021 will automatically enable enforcement mode on Domain Controllers               



    Reference:
    https://www.secura.com/blog/zero-logon
    https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
    https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
    https://github.com/SecuraBV/CVE-2020-1472
    https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/




    Comments

    Post a Comment