Network Threat Hunting for Zerologon Exploits (CVE-2020-1472)
On September 11th, 2020, researchers from Secura released a security advisory that shed light on a vulnerability patched by Microsoft in August 2020 (CVE-2020-1472). This vulnerability impacts a key component of Windows networks: Active Directory, or in other words the service that stores and manages user accounts, computers, services, groups, among other things as well as related credential information. This vulnerability can be exploited on a domain controller to achieve privilege escalation (MITRE: TA0004, T1078.002) using NetLogon Remote Protocol DCERPC requests. If successful, the attacker could gain full control of the vulnerable machine as domain administrator and use it for complete network compromise. It is no surprise then that this bug received the highest severity rating of 10. Since the disclosures, several attack modules have been released for popular red teaming tools like Mimikatz that leverage this vulnerability. This post describes how security operations teams can use network threat hunting to identify attempts to exploit the vulnerability.
Microsoft released a patch for this vulnerability in August 2020 without much detail. Researchers at Dutch cybersecurity company Secura dug into the affected Windows component, Netlogon, and identified a few serious cryptographic holes in the unpatched version. They detailed their findings and how to exploit the vulnerability in their report.
Netlogon Remote Protocol (MS-NRPC) is an RPC interface that is used for user and machine authentication on domain-based networks. Some of its common use-cases are to replicate the user account database, manage & maintain relationships between members and domain-controllers, among domain-controllers within single or across multiple domains.
An overview and details of the NETLOGON implementation architecture, its authentication protocol, client-server relationship etc. is provided in Microsoft documentation. In addition, for an explanation of the protocol and its encryption mechanism in the context of the CVE-2020-1472 vulnerability, we recommend reading the detailed technical analysis published by Sophos.
CVE-2020-1472 As Seen from the Network
From a network threat hunting and detection perspective, there are a number of key traffic details that can help blue-teams detect attempts to exploit this vulnerability.
Firstly, the vulnerability is exploited by sending specially crafted NetrServerReqChallenge, NetrServerAuthenticate3 and NetrServerPasswordSet2 DCERPC requests to initially bind to and use the NETLOGON interface. This is followed by sending specific Opnum like 2, 26 and 30 to set the domain controller password to NULL.
Figure 1 below demonstrates the initial NETLOGON DCERPC BIND (Indicator #1) request before initiating further crafted DCERPC calls.
Figure 1: DCERPC BIND to NETLOGON Interface
Then, upon successful bind, the attacker tries to brute-force and authenticate (Indicator #3) by sending 8 NULL bytes (Indicator #4) as a challenge to the victim server, the domain controller (DC) in this case. The DC then returns the status code stating STATUS_ACCESS_DENIED (Indicator #5) as seen in Figure 2.
Figure 2: NetrServerAuthenticate3 Request
This request is repeated several times (on an average 256 times) before the DC returns a success code (Indicator #7) indicating that the authentication attempt has been successful as seen in Figure 3.
Figure 3: Successful authentication response (from DC)
As a final step, the attacker tries to reset (Indicator #8) the domain controller password to NULL (Indicator #9) as illustrated in Figure 4.
Figure 4: Attempt to set DC password as NULL
Detecting CVE-2020-1472 in the Awake Security Platform
Awake identifies CVE-2020-1472 exploitation attempts by correlating and detecting the pattern of NETLOGON Interface BIND requests and DCERPC calls (NetrServerAuthenticate3 requests) mentioned above.
When the Awake platform identifies such exploit behavior on the network (similar to MITRE ATT&CK ID: T1110, TA0008), it creates a graphical visualization of the attack Situation as shown in Figure 5 below, demonstrating that a Windows device attempted to access the organization’s domain controller and attempted to exploit CVE-2020-1472 NETLOGON vulnerability. This Situation would also correlate other activities based on the MITRE ATT&CK framework including any lateral movement, data exfiltration and command and control. .
Figure 5: Awake Situation for ZeroLogon Attack
It is highly recommended Microsoft’s August 2020 security updates be applied as soon as possible. In addition, ensure that the Domain Controller adheres to enforcement mode by default and as recommended by Microsoft. The August security update also addresses the vulnerability by enforcing secure RPC when using the Netlogon secure channel. For full Active Directory forest protection, all Domain Controllers including read-only Domain Controllers, must be updated to enforce secure RPC with Netlogon secure channel.
By Sujit Ghosal and Ashish Gahlot
Sr. Threat Researcher
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…