Windows recently released a patch for a severe remote vulnerability that can be used to fully compromize domain controllers without having any valid existing privileged user account.
The attacker just need to be able to have a network connection to the domain controller.
The exploit works by sending a number of Netlogon messages with various fields filled with zeroes, then it will allow an attacker to change the computer password of the domain controller.
Security analysts needs to look for any Computer Account changes from ANONYMOUS LOGON user
QRadar Rule to detect the Zerologon Exploitation
the rule is very simple and straightforward as following:
the detection is based on the windows event id: 4742
Security administrators need to make sure from auditing the above windows event id: 4742
#Highlights-home#Highlights