A vulnerability named Zerologon, with the number CVE-2020-1472, has been made public on August 11, 2020 by Microsoft . It impacts MS-NRPC , a protocol required for the proper operation of a Microsoft domain, and used by domain controllers (RODC  included). On September 11, 2020, an exploitation code and a white paper associated with this vulnerability were made public by the company Secura .
Microsoft has planned a two-step remediation: an initial deployment phase starting on August 11, 2020 and ending during the application phase scheduled for February 9, 2021. The terms and conditions are detailed on Microsoft’s website .
The application of the patches provided for the first step enables:
- to modify the default configuration of the MS-NRPC protocol,
- to log events coming from hosts using the vulnerable version,
- to configure the group policy strategies (GPO) requiring the use of the robust version of the protocol, while still accepting connections in the vulnerable version from hosts explicitly specified as exceptions.
The logging of events specific to this vulnerability is provided by Windows events with the following references:
- EventID 5827,
- EventID 5828,
- EventID 5829,
- EventID 5830,
- EventID 5831
- Remote code execution
- Compromised server
- All computers and user accounts of a given Microsoft domain may be compromised
Many versions of operating codes are available (and do work), some of which are accessible directly on GitHub.
The following server versions are affected:
- Windows Server 2008 R2 for x64-based Systems Service Pack 1
- Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server, version 1903 (Server Core installation)
- Windows Server, version 1909 (Server Core installation)
- Windows Server, version 2004 (Server Core installation)
NETWORK PARTITIONING OF DOMAIN CONTROLLERS
Domain controllers must not be accessible to non-authenticated network users. However, if you do inherit a permeable network that does not implement any hardware authentication to authorize network access, connecting an uncontrolled computer may allow an unidentified attacker to exploit this vulnerability to obtain domain administrator rights.
TEHTRIS SIEM collects the Windows system event logs discussed here to enable you to cyber monitor exploits of this vulnerability, which could come from computers that do not belong to your organization and are connected to a local network allowing unidentified access to a domain controller.
In order to verify the status of your sensitive services, such as those hosted by Domain Controllers and exposed Domain Controllers (RODC), it is strongly recommended to install TEHTRIS EDR to enable the monitoring of actions that would be carried out. Indeed, in case of a compromised (RO)DC server, an attacker will then want to:
- perform reconnaissance to determine future malicious acts,
- bounce on business services hosting capital information assets, more than a mere access to a privileged account (bank data, personal information, confidential documents),
- to exfiltrate data in order to be able to better negotiate the amount of a ransom afterwards,
- deploy a ransomware.
In each case, TEHTRIS EDR will be able to collect, log and even automatically remediate these actions within the TEHTRIS XDR Platform, thus enabling to identify and stop the intrusion in progress.
MONITORING OF CLIENT WORKSTATIONS
In the event that the attacker uses a network host integrated into the Windows domain and having de facto network permissions to go, stressing the exposed services of the domain controller, the prior installation of TEHTRIS EDR on all computers and servers of the Information System (IS) enables to identify the illegitimate access before or during the exploitation of the vulnerability by logging (or even automatically remediating) the use of scripts and programs used by the attacker to forge the request to the targeted domain controller.
BOUNCE WITHIN THE INFRASTRUCTURE
In the event of a compromised server, it is commonly observed that a discovery phase is carried out remotely, using bounce mechanisms to identify other services that are accessible and can be exploited.
The implementation of TEHTRIS Deceptive Response within the IS facilitates the detection of such actions. When the attacker performs discovery scans of accessible services, TEHTRIS Deceptive Response collects and alerts SOC operators via the automatic creation of alerts within the XDR Platform.
In addition, the TEHTRIS NTA network monitoring product has specific signatures for attacks exploiting the CVE-2020-1472 vulnerability.
The implementation of decoy accounts present within Active Directory can easily identify ongoing intrusions by setting up a special monitoring on events associated with these accounts and whose names can be chosen to incite an attacker to exploit them by transforming the default accounts into a decoy account. This good practice can be associated with the obligation, by the policy of information systems, to use nominative accounts dedicated to administration tasks and which can be prefixed with a marker (“adm_p.name” type).
In addition to the technical means at your disposal, we recommend that you apply the patches available since August 11, 2020 and check the correct application of these patches on each of your domain controller servers (RODC included).
TEHTRIS is at your disposal to help you correctly implement the TEHTRIS XDR Platform in order to be able to face this threat, whose exploitation may quickly be industrialized, just like the Wannacry threat.
 Netlogon Remote Protocol remote procedure call
 Read Only Domain Controller