A vulnerability named Zerologon, with the number CVE-2020-1472, has been made public on August 11, 2020 by Microsoft . It impacts MS-NRPC , a protocol required for the proper operation of a Microsoft domain, and used by domain controllers (RODC  included). On September 11, 2020, an exploitation code and a white paper associated with this vulnerability were made public by the company Secura .
Microsoft has planned a two-step remediation: an initial deployment phase starting on August 11, 2020 and ending during the application phase scheduled for February 9, 2021. The terms and conditions are detailed on Microsoft’s website .
The application of the patches provided for the first step enables:
The logging of events specific to this vulnerability is provided by Windows events with the following references:
Many versions of operating codes are available (and do work), some of which are accessible directly on GitHub.
The following server versions are affected:
Domain controllers must not be accessible to non-authenticated network users. However, if you do inherit a permeable network that does not implement any hardware authentication to authorize network access, connecting an uncontrolled computer may allow an unidentified attacker to exploit this vulnerability to obtain domain administrator rights.
TEHTRIS SIEM collects the Windows system event logs discussed here to enable you to cyber monitor exploits of this vulnerability, which could come from computers that do not belong to your organization and are connected to a local network allowing unidentified access to a domain controller.
In order to verify the status of your sensitive services, such as those hosted by Domain Controllers and exposed Domain Controllers (RODC), it is strongly recommended to install TEHTRIS EDR to enable the monitoring of actions that would be carried out. Indeed, in case of a compromised (RO)DC server, an attacker will then want to:
In each case, TEHTRIS EDR will be able to collect, log and even automatically remediate these actions within the TEHTRIS XDR Platform, thus enabling to identify and stop the intrusion in progress.
In the event that the attacker uses a network host integrated into the Windows domain and having de facto network permissions to go, stressing the exposed services of the domain controller, the prior installation of TEHTRIS EDR on all computers and servers of the Information System (IS) enables to identify the illegitimate access before or during the exploitation of the vulnerability by logging (or even automatically remediating) the use of scripts and programs used by the attacker to forge the request to the targeted domain controller.
BOUNCE WITHIN THE INFRASTRUCTURE
In the event of a compromised server, it is commonly observed that a discovery phase is carried out remotely, using bounce mechanisms to identify other services that are accessible and can be exploited.
The implementation of TEHTRIS Deceptive Response within the IS facilitates the detection of such actions. When the attacker performs discovery scans of accessible services, TEHTRIS Deceptive Response collects and alerts SOC operators via the automatic creation of alerts within the XDR Platform.
In addition, the TEHTRIS NTA network monitoring product has specific signatures for attacks exploiting the CVE-2020-1472 vulnerability.
The implementation of decoy accounts present within Active Directory can easily identify ongoing intrusions by setting up a special monitoring on events associated with these accounts and whose names can be chosen to incite an attacker to exploit them by transforming the default accounts into a decoy account. This good practice can be associated with the obligation, by the policy of information systems, to use nominative accounts dedicated to administration tasks and which can be prefixed with a marker (“adm_p.name” type).
In addition to the technical means at your disposal, we recommend that you apply the patches available since August 11, 2020 and check the correct application of these patches on each of your domain controller servers (RODC included).
TEHTRIS is at your disposal to help you correctly implement the TEHTRIS XDR Platform in order to be able to face this threat, whose exploitation may quickly be industrialized, just like the Wannacry threat.
 Netlogon Remote Protocol remote procedure call
 Read Only Domain Controller