IBM Security QRadar

 View Only

Detecting the Zerologon Exploitation (CVE-2020-1472)

By MUTAZ ALSALLAL posted Thu September 17, 2020 04:42 PM

  
Windows recently released a patch for a severe remote vulnerability that can be used to fully compromize domain controllers without having any valid existing privileged user account.

The attacker just need to be able to have a network connection to the domain controller.

The exploit works by sending a number of Netlogon messages with various fields filled with zeroes, then it will allow an attacker to change the computer password of the domain controller.

Security analysts needs to look for any Computer Account changes from ANONYMOUS LOGON user


QRadar Detecting Zerologon Exploitation
QRadar Offense Showing the Detection of Zerologon Exploitation (CVE-2020-1472)




QRadar Rule to detect the Zerologon Exploitation

the rule is very simple and straightforward as following:

QRadar Rule to Detect Zerologon Exploitation
QRadar Rule to detect the Zerologon Exploitation (CVE-2020-1472)



the detection is based on the windows event id: 4742

QRadar Event to Detect Zerologon Exploitation


Security administrators need to make sure from auditing the above windows event id: 4742


auditing Computer Account changes


#Highlights-home
#Highlights

0 comments
1086 views

Permalink