Microsoft has said its Microsoft Defender for Identity solution is now able to detect Zerologon, an exploit against a vulnerability in the Netlogon Remote Protocol that allows hackers to hijack a Domain Admin account and compromise the domain controller.
The vulnerability in Microsoft’s Windows Netlogon server process was first detected in August this year, following which Microsoft issued a security patch to prevent hackers from exploiting the vulnerability with Zerologon attacks to target a large number of organisations worldwide.
Microsoft Windows Netlogon is a Windows Server process that authenticates domain controllers and other users within a domain. It is part of a domain’s security hierarchy along with the Workstation service and the Server Message Block protocol, enabling secure communications across all nodes of a network.
In October, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) alerted organisations about a critical vulnerability — CVE-2020-1472— plaguing the Netlogon Remote Protocol. CISA said the vulnerability was being actively exploited in the wild after the exploit code was released publicly in early September.
According to GCHQ’s National Cyber Security Centre, the exploit, dubbed Zerologon, “allows an attacker with network access to a Domain Controller to impersonate any domain user and change their account password. This includes the ability to change the Domain Admin account password, leading to compromise of the Domain Controller.”
It added that cyber criminals have updated publicly available hacking tools such as Mimikatz and Metasploit to exploit the privilege vulnerability and all Windows Server versions not patched with the 11/08/2020 update are exposed to Zerologon attacks.
In order to mitigate the threat, organisations need to ensure that all Domain Controllers are patched via Microsoft’s August 2020 security update. Once this is done, they will need to enable Domain Controllers (DC) enforcement mode via a registry key or by applying the 9 February 2021 security update when it is available.
Earlier today, Microsoft announced that it has updated the Microsoft Defender for Identity along with other Microsoft 365 Defender solutions to accurately detect Zerologon exploits. This capability will enable organisations to detect cyber attacks targeting domain controllers quickly.
According to Microsoft, following the publication of several proof-of-concept tools and demo exploits that can leverage the Netlogon vulnerability, there was a major increase in cyber activity to exploit the vulnerability after 13th September. Consequently, the company updated the Microsoft Defender for Identity to not only detect the exploit early on but also help organisations to monitor the Netlogon channel traffic.
Microsoft Defender for Identity not only helps identify the device that attempts the impersonation, but also the domain controller, the targeted asset, and whether the impersonation attempt is successful. Organisations using Microsoft 365 Defender and Microsoft Defender for Endpoint can, in addition, see device process and file activity associated with the exploitation.
“Combining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&CK framework, and machine learning models,” Microsoft said.