Blog Post

Network Threat Hunting for Zerologon Exploits (CVE-2020-1472)

Summary

On September 11th, 2020, researchers from Secura released a security advisory that shed light on a vulnerability patched by Microsoft in August 2020 (CVE-2020-1472). This vulnerability impacts a key component of Windows networks: Active Directory, or in other words the service that stores and manages user accounts, computers, services, groups, among other things as well as related credential information. This vulnerability can be exploited on a domain controller to achieve privilege escalation (MITRE: TA0004, T1078.002) using NetLogon Remote Protocol DCERPC requests. If successful, the attacker could gain full control of the vulnerable machine as domain administrator and use it for complete network compromise. It is no surprise then that this bug received the highest severity rating of 10. Since the disclosures, several attack modules have been released for popular red teaming tools like Mimikatz that leverage this vulnerability. This post describes how security operations teams can use network threat hunting to identify attempts to exploit the vulnerability.

Technical Analysis

Microsoft released a patch for this vulnerability in August 2020 without much detail. Researchers at Dutch cybersecurity company Secura dug into the affected Windows component, Netlogon, and identified a few serious cryptographic holes in the unpatched version. They detailed their findings and how to exploit the vulnerability in their report.

NETLOGON

Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used for user and machine authentication on domain-based networks. Some of its common use-cases are to replicate the user account database, manage & maintain relationships between members and domain-controllers, among domain-controllers within single or across multiple domains.

An overview and details of the NETLOGON implementation architecture, its authentication protocol, client-server relationship etc. is provided in Microsoft documentation. In addition, for an explanation of the protocol and its encryption mechanism in the context of the CVE-2020-1472 vulnerability, we recommend reading the detailed technical analysis published by Sophos.

CVE-2020-1472 As Seen from the Network

From a network threat hunting and detection perspective, there are a number of key traffic details that can help blue-teams detect attempts to exploit this vulnerability.

Firstly, the vulnerability is exploited by sending specially crafted NetrServerReqChallenge, NetrServerAuthenticate3 and NetrServerPasswordSet2 DCERPC requests to initially bind to and use the NETLOGON interface. This is followed by sending specific Opnum like 2, 26 and 30 to set the domain controller password to NULL.

Figure 1 below demonstrates the initial NETLOGON DCERPC BIND (Indicator #1) request before initiating further crafted DCERPC calls.

Figure 1: DCERPC BIND to NETLOGON Interface

Then, upon successful bind, the attacker tries to brute-force and authenticate (Indicator #3) by sending 8 NULL bytes (Indicator #4) as a challenge to the victim server, the domain controller (DC) in this case. The DC then returns the status code stating STATUS_ACCESS_DENIED (Indicator #5) as seen in Figure 2.

Figure 2: NetrServerAuthenticate3 Request

This request is repeated several times (on an average 256 times) before the DC returns a success code (Indicator #7) indicating that the authentication attempt has been successful as seen in Figure 3.

Figure 3: Successful authentication response (from DC)

As a final step, the attacker tries to reset (Indicator #8) the domain controller password to NULL (Indicator #9) as illustrated in Figure 4.

Figure 4: Attempt to set DC password as NULL

Detecting CVE-2020-1472 in the Awake Security Platform

Awake identifies CVE-2020-1472 exploitation attempts by correlating and detecting the pattern of NETLOGON Interface BIND requests and DCERPC calls (NetrServerAuthenticate3 requests) mentioned above.

When the Awake platform identifies such exploit behavior on the network (similar to MITRE ATT&CK ID: T1110, TA0008), it creates a graphical visualization of the attack Situation as shown in Figure 5 below, demonstrating that a Windows device attempted to access the organization’s domain controller and attempted to exploit CVE-2020-1472 NETLOGON vulnerability. This Situation would also correlate other activities based on the MITRE ATT&CK framework including any lateral movement, data exfiltration and command and control. .

Figure 5: Awake Situation for ZeroLogon Attack

Remediation

It is highly recommended Microsoft’s August 2020 security updates be applied as soon as possible. In addition, ensure that the Domain Controller adheres to enforcement mode by default and as recommended by Microsoft. The August security update also addresses the vulnerability by enforcing secure RPC when using the Netlogon secure channel. For full Active Directory forest protection, all Domain Controllers including read-only Domain Controllers, must be updated to enforce secure RPC with Netlogon secure channel.

References

By Sujit Ghosal and Ashish Gahlot

Sujit Ghosal
Sujit Ghosal

Sr. Threat Researcher