Stealthbits’ Zerologon Detection and Mitigation Solution
In my two previous blogs, we’ve gone over the new patch and update plans from Microsoft (Part 1), as well as the attack itself (Part 2). Now let’s talk about how we at Stealthbits can help. We’re actively working in the lab and investigating ways we can audit, detect, and potentially mitigate the Zerologon vulnerability. Check out the updates for each of our products below and see how they can help or what we have in the works!
Analyzing Zerologon Risk with StealthAUDIT
Within StealthAUDIT, available for download on our Product Downloads page under StealthAUDIT Jobs (valid login required), we have created a job that will assist in understanding your environment during the initial deployment phase. This job will produce two reports:
- The first focuses on auditing the current status of your environment, particularly your Domain Controllers
- The second focuses on analyzing the event logs and traffic occurring on those Domain Controllers
Data Points Audited
Domain Controller Data points
The first three data points we look at are the FullSecureChannelProtection registry key value, the last reboot time, and the last patch install date for the machine. This information allows us to identify if the Domain Controller has likely received the August 11th 2020 patch, as well as if the Domain Controller has been configured to be in enforcement mode prior to the enforcement phase, planned for February 2021. Patching and being able to enable enforcement mode on all of your domain controller prior to the enforcement phase is the ultimate goal, after all.
Group Policy Settings
The next component we look at related to Zerologon is the Group Policy configuration for the “Domain controller: Allow vulnerable Netlogon secure channel connections” setting. This policy should only be configured to allow vulnerable connections from non-Windows devices that do not have an applicable update to leverage secure connections via Netlogon. Reporting on this datapoint is a good way for admins to understand where exceptions have been made to ensure that it is only a set of machines that should be allowed to make these connections.
Empty Domain Controller Passwords
The last datapoint we look at related to your Domain Controllers is actually coming from our AD_WeakPasswords job. In the instance your Domain Controller was found to have an empty password, we will explicitly call it out in this report as that is potentially a direct result of the Zerologon vulnerability being exploited. Even in the instance, it was not due to Zerologon, it is an extremely risky situation that any organization should want to rectify.
Event Logs Analyzed
The second report within our solution focuses on event log data and looks at all of the various event IDs added from the August 11th patch, including events 5827, 5828, 5829, 5830, and 5831. This report offers administrators a simple way to understand what type of traffic is occurring in their environment and at what frequency. Not only will it help you better understand what traffic is occurring, but it will aid in identifying which accounts are creating 5829 events, which is important to get a handle on prior to February 2021 by either updating the machine in question or adding applicable systems to the previously mentioned group policy to ensure nothing is impacted once enforcement mode starts.
StealthDEFEND
The security research team has been working hard on a detection for ZeroLogon exploitation in StealthDEFEND. They’re nearing completion and expect this to be released for StealthDEFEND 2.5 in the very near future. This new threat will be capable of detecting both successful (domain controller password is reset) and unsuccessful (no password reset observed, likely because the domain controller is patched) attempts to exploit the ZeroLogon vulnerability.
Next Steps
If you’re an existing StealthAUDIT or StealthDEFEND user, pop these jobs and analyses into your consoles and have at it. If you need any help, you know who to call.
If you’re not an existing user of these products or even a customer, no worries! We’re happy to extend you a copy of either to help you out. Just send us a message at https://www.stealthbits.com/contact and reference Zerologon in the comments. A representative will get in touch with you immediately to get you what you need.
Kevin Joyce is a Senior Technical Product Manager at Stealthbits – now part of Netwrix. He is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.
Related Posts
- Detecting Advanced Process Tampering Tactics with Microsoft’s Sysmon 13
- Leveraging OpenSSH to Move Files in Windows Server 2019
- What Comes After the FireEye Attack
- Giving Back while Safeguarding Schools in the Age of COVID-19
- Malware’s Growth During the COVID-19 Pandemic
- PostgreSQL Server Security Primer
- What is an Insider Threat?
- Top Data Breaches of 2020
- Protecting User Credentials – Individual & Software Best Practices
- Using & Securing Remote Desktop Protocol (RDP)
Leave a Reply