Stealthbits’ Zerologon Detection and Mitigation Solution

In my two previous blogs, we’ve gone over the new patch and update plans from Microsoft (Part 1), as well as the attack itself (Part 2). Now let’s talk about how we at Stealthbits can help. We’re actively working in the lab and investigating ways we can audit, detect, and potentially mitigate the Zerologon vulnerability. Check out the updates for each of our products below and see how they can help or what we have in the works!

Analyzing Zerologon Risk with StealthAUDIT

Within StealthAUDIT, available for download on our Product Downloads page under StealthAUDIT Jobs (valid login required), we have created a job that will assist in understanding your environment during the initial deployment phase. This job will produce two reports:

1. The first focuses on auditing the current status of your environment, particularly your Domain Controllers
2. The second focuses on analyzing the event logs and traffic occurring on those Domain Controllers

Data Points Audited

Domain Controller Data points

The first three data points we look at are the FullSecureChannelProtection registry key value, the last reboot time, and the last patch install date for the machine. This information allows us to identify if the Domain Controller has likely received the August 11^th 2020 patch, as well as if the Domain Controller has been configured to be in enforcement mode prior to the enforcement phase, planned for February 2021. Patching and being able to enable enforcement mode on all of your domain controller prior to the enforcement phase is the ultimate goal, after all.

Group Policy Settings

The next component we look at related to Zerologon is the Group Policy configuration for the “Domain controller: Allow vulnerable Netlogon secure channel connections” setting. This policy should only be configured to allow vulnerable connections from non-Windows devices that do not have an applicable update to leverage secure connections via Netlogon. Reporting on this datapoint is a good way for admins to understand where exceptions have been made to ensure that it is only a set of machines that should be allowed to make these connections.

Empty Domain Controller Passwords

The last datapoint we look at related to your Domain Controllers is actually coming from our AD_WeakPasswords job. In the instance your Domain Controller was found to have an empty password, we will explicitly call it out in this report as that is potentially a direct result of the Zerologon vulnerability being exploited. Even in the instance, it was not due to Zerologon, it is an extremely risky situation that any organization should want to rectify.

Event Logs Analyzed

The second report within our solution focuses on event log data and looks at all of the various event IDs added from the August 11^th patch, including events 5827, 5828, 5829, 5830, and 5831. This report offers administrators a simple way to understand what type of traffic is occurring in their environment and at what frequency. Not only will it help you better understand what traffic is occurring, but it will aid in identifying which accounts are creating 5829 events, which is important to get a handle on prior to February 2021 by either updating the machine in question or adding applicable systems to the previously mentioned group policy to ensure nothing is impacted once enforcement mode starts.

StealthDEFEND

The security research team has been working hard on a detection for ZeroLogon exploitation in StealthDEFEND. They’re nearing completion and expect this to be released for StealthDEFEND 2.5 in the very near future. This new threat will be capable of detecting both successful (domain controller password is reset) and unsuccessful (no password reset observed, likely because the domain controller is patched) attempts to exploit the ZeroLogon vulnerability.

Next Steps

If you’re an existing StealthAUDIT or StealthDEFEND user, pop these jobs and analyses into your consoles and have at it. If you need any help, you know who to call.

If you’re not an existing user of these products or even a customer, no worries! We’re happy to extend you a copy of either to help you out. Just send us a message at https://www.stealthbits.com/contact and reference Zerologon in the comments. A representative will get in touch with you immediately to get you what you need.