Blog
Security Alert: Detecting CVE-2020-1472 Zerologon Exploitation with NDR
ExtraHop urges organizations to patch immediately and monitor for exploit attempts
Jeff Costlow
September 16, 2020
First discovered by Secura, the CVE-2020-1472 Zerologon vulnerability was recently reported in Microsoft's August Patch Tuesday. This privilege escalation vulnerability could allow attackers to get control of a Windows domain without any user credentials. As of the time of this post, multiple recent proof-of-concepts exploiting the issue have been shown.
This vulnerability has a CVSS score of 10 and the threat research team at ExtraHop expects CVE-2020-1472 to be actively exploited in the wild. As this vulnerability is easy to exploit it will surely cause problems for organizations who have not yet patched their Active Directory systems.
Forged Netlogon Sessions
The public proof-of-concepts have shown that unauthenticated attackers are able to obtain full administrator privileges on Active Directory systems. By forging an authenticated Netlogon session, public proof-of-concepts leverage password change functionality to reset the domain controller machine account password. Some proof-of-concepts will then reset the password to the original value. While the account password is set by an adversary to a known value, an attack—like a DCSync for example—can be conducted to replicate ticket and service credentials allowing for unfettered access to services and data throughout the organization.
ExtraHop urges organizations to patch immediately and be aware that your system may have already been compromised. Any organization without the ability to detect exploit attempts will remain at high risk.
ExtraHop Reveal(x) network detection and response (NDR) has support for parsing MSRPC and is well situated to detect attacks against Active Directory infrastructure.
ExtraHop is committed to quickly reacting to exploits by creating detectors for our customers to understand and remediate threats like CVE-2020-1472. All ExtraHop Reveal(x) version 8.0 & up deployments now have the ability to detect an exploit attempt, allowing administrators to protect their systems before they are able to roll out patches.
Here's a quick walkthrough of detecting Zerologon with Reveal(x):
Microsoft has more information on CVE-2020-1472.