What is ZeroLogon? How to Detect and Patch

LogRhythm AI Engine: Credential Access: Credential Dumping | MITRE ATT&CK Module

TL/DR

What is ZeroLogon? In Layman’s Terms

ZeroLogon is the name for a Microsoft cryptography vulnerability found in CVE-2020-1472 that makes it easy for cybercriminals to hack into your system by impersonating any computer.

The Cybersecurity and Infrastructure Agency has mandated civilian federal agencies to patch as soon as possible, and recommends other organizations to do the same.

ZeroLogon can be detected with existing rules from the AI Engine rules from the MITRE ATT&CK Module, listed in detail below in the section titled, “AI Engine Vendor Message ID (Event IDs) and Log Source Types.” The ZeroLogon Proof of Concept exploit test was performed using a test Windows domain, which consisted of a Windows 10 system (attacker), and a Windows 2019 system (victim), and the use of MIMIKATZ by “Benjamin DELPY gentilkiwi.” Based on the latest reports from Microsoft Security Intelligence, it’s possible that attacker and victim can be the same system.

How LogRhythm NextGen SIEM Platform Detects ZeroLogon

There’s already a lot of information regarding what CVE-2020-1472 (AKA “ZeroLogon”) is, proof of concept (POC) exploit code, and general detections for pre and post patching Windows servers. This blog will not go into the depths of ZeroLogon, but it will provide references for further reading if you are so inclined. Instead, we are going to focus on how the LogRhythm NextGen SIEM Platform detects ZeroLogon with out-of-the-box content, as well as custom content that will be making its way to the LogRhythm Knowledge Base (KB) soon. We will also focus in on how you can proactively use WebUI Dashboards in your threat hunt in detecting ZeroLogon.

MITRE ATT&CK Detection Details: Attacker AI Engine Events

For more information on the MITRE ATT&CK Module, how AI Engine rules are configured, what log sources are required, and how they are configured, view the section titled “LogRhythm MITRE ATT&CK References” below.

AI Engine: Credential Access : Credential Dumping | MITRE ATT&CK Module | MITRE ATT&CK ID: T1003 OS Credential Dumping

LogRhythm AI Engine: Credential Access: Credential Dumping | MITRE ATT&CK Module
Figure 1. AI Engine: Credential Access : Credential Dumping | MITRE ATT&CK Module | MITRE ATT&CK ID: T1003 OS Credential Dumping. Relevant log data is shown in the picture.

Detection Guidance

There should be very low to no false positives associated with this AI Engine event. Any or all VMIDs listed under the “AI Engine Vendor Message ID (Event IDs) and Log Source Types” section are required for this rule to work properly. Please refer to the MITRE ATT&CK Deployment Guide and User Guide for logging requirements and configuration.

You can quickly verify this event by looking at the process name or command line. Using an event log like Microsoft Sysmon Event ID 1 that also contains the process hash makes it trivial to verify if the process is known by searching for it on known virus submission websites.

In our test, there were a few AI Engine events that were triggered only through Microsoft Sysmon Vendor Message ID 10. Read more about Event ID 10 from Microsoft here. Note that LogRhythm’s supplied MS Sysmon configuration was modified so that Event ID 10 would log. This is how the MS Sysmon config was changed:

            <!–SYSMON EVENT ID 10 : INTER-PROCESS ACCESS [ProcessAccess]–>

                        <!–EVENT 10: “Process accessed”–>

                        <!–COMMENT: Can cause high system load, disabled by default.–>

                        <!–COMMENT: Monitor for processes accessing other process’ memory.–>

 

                        <!–DATA: UtcTime, SourceProcessGuid, SourceProcessId, SourceThreadId, SourceImage, TargetProcessGuid, TargetProcessId, TargetImage, GrantedAccess, CallTrace–>

            <RuleGroup name=”” groupRelation=”or”>

                        <ProcessAccess onmatch=”exclude”>

                                    <SourceImage condition=”end with”>LogRhythm System Monitor\scsm.exe</SourceImage> <!–LogRhythm Labs exclude LogRhythm Sysmon–>

                                    <SourceImage condition=”end with”>AppData\Local\Temp\PROCEXP64.exe</SourceImage> <!–LogRhythm Labs exclude Sysinternals Process Explorer–>

                        </ProcessAccess>

            </RuleGroup>

AI Enigne: Discovery : Remote System Discovery | MITRE ATT&CK Module | MITRE ATT&CK ID: T1018 Remote System Discovery

AI Engine: Discovery : Remote System Discovery | MITRE ATT&CK Module
Figure 2. AI Engine: Discovery : Remote System Discovery | MITRE ATT&CK Module | MITRE ATT&CK ID: T1018 Remote System Discovery. Relevant log data is shown in the picture.

Detection Guidance

There should be very low to no false positives associated with this AI Engine event. Any or all VMIDs listed under the “AI Engine Vendor Message ID (Event IDs) and Log Source Types” section are required for this rule to work properly. Please refer to the MITRE ATT&CK Deployment Guide and User Guide for logging requirements and configuration.

This event alone is not enough to indicate the presence of ZeroLogon. This event along with other events is an indicator of lateral movement is likely. Investigating Common Event “Process/Service Started” for parent process that contains a shell, or other suspicious, or unknown process to determine if the AI Engine event is a normal, or benign observation, or malicious observation.

The command line in the example above will likely reveal what system was targeted.

Microsoft Sysmon vendor message ID 10 is also a useful source for this AI Engine event. Note, as mentioned previously, the Microsoft Sysmon config was modified in order to detect this activity. Look for suspicious parent/child processes.

Windows Security vendor message ID 4663 is detecting evidence of a process created, by the creation of a file in the Windows Prefetch directory. Example: C:\Windows\Prefetch\PING.EXE-4A8A6853.pf. Note, you will need to configure Windows audit to monitor this directory, or for all file creations.

AI Engine: Lateral Movement : Pass the Hash | MITRE ATT&CK Module | MITRE ATT&CK ID: T1550.002 Use Alternate Authentication Material: Pass the Hash

AI Engine: Lateral Movement : Pass the Hash | MITRE ATT&CK Module
Figure 3. AI Engine: Lateral Movement : Pass the Hash | MITRE ATT&CK Module | MITRE ATT&CK ID: T1550.002 Use Alternate Authentication Material: Pass the Hash. Relevant log data is shown in the picture.

There should be very low to no false positives associated with this AI Engine event. Any or all VMIDs listed under the “AI Engine Vendor Message ID (Event IDs) and Log Source Types” section are required for this rule to work properly. Please refer to the MITRE ATT&CK  Deployment Guide and User Guide  for logging requirements and configuration.

This event triggers when an attack method is used called “Pass the Hash.” Microsoft Security vendor message ID 4624 with a logon type 9 typically indicates the detection of “Pass the Hash” by the Mimikatz, or other password stealing/replay applications.

MITRE ATT&CK Detection Details: Victim AI Engine Events

AI Engine: Lateral Movement : Windows Admin Shares | MITRE ATT&CK Module | MITRE ATT&CK ID: T1021.002 Remote Services: SMB/Windows Admin Shares

AI Engine: Lateral Movement : Windows Admin Shares | MITRE ATT&CK Module
Figure 4. AI Engine: Lateral Movement : Windows Admin Shares | MITRE ATT&CK Module | MITRE ATT&CK ID: T1021.002 Remote Services: SMB/Windows Admin Shares. Relevant log data is shown in the picture.

There should be very low to no false positives associated with this AI Engine event. Any or all VMIDs listed under the “AI Engine Vendor Message ID (Event IDs) and Log Source Types” section are required for this rule to work properly. Please refer to the MITRE ATT&CK  Deployment Guide and User Guide  for logging requirements and configuration.

This event is mostly observed from Microsoft Security vendor message ID 5140, and it is where a hidden share is being accessed. Observations include accessing IPC$ and C$ from the attacker system to the victim system.

AI Engine: Lateral: Password Modified by Admin | MITRE ATT&CK Module

AI Engine: Lateral: Password Modified by Admin | MITRE ATT&CK Module
Figure 5. AI Engine: Lateral: Password Modified by Admin | MITRE ATT&CK Module. Relevant log data is shown in the picture.

There should be very low to no false positives associated with this AI Engine event. Any or all VMIDs listed under the “AI Engine Vendor Message ID (Event IDs) and Log Source Types” section are required for this rule to work properly. Please refer to the MITRE ATT&CK  Deployment Guide and User Guide  for logging requirements and configuration.

This event is mostly observed from Microsoft Security vendor message ID 4724 where a privileged user (Administrator) is attempting to change the password of a computer account (name$).

Pivot off of the Session +/- 1 minute to view all the logs associated with the Microsoft Security 4624 log. Example of logs returned:

VMID 4624. Remote Administrator logon.
Figure 6. VMID 4624. Remote Administrator logon.
VMID 4672, special privileges assigned to logon. A good indicator of interactive logon
Figure 7. VMID 4672, special privileges assigned to logon. A good indicator of interactive logon.
VMID 5145. Indicates accessing a network share
Figure 8. VMID 5145. Indicates accessing a network share.
VMID 5140. Shows that the network share was accessed.
Figure 9. VMID 5140. Shows that the network share was accessed.
VMID 4724. Shows that a password change attempt was made.
Figure 10. VMID 4724. Shows that a password change attempt was made.
VMID 4742. Shows that a computer account has changed.
Figure 11. VMID 4742. Shows that a computer account has changed.
VMID 4634. Shows that the user has successfully logged off.
Figure 12. VMID 4634. Shows that the user has successfully logged off.

Mitigating ZeroLogon : CVE-2020-1472

Microsoft has specific guidance on how to mitigate against the ZeroLogon vulnerability. After applying the August 11th, 2020, Microsoft updates on the Domain Controller, you will also need to set via Group Policy Object (GPO) “Domain controller: Allow vulnerable Netlogon secure channel connections” to “Deny.” The following was done in our test environment:

How to mitigate against the ZeroLogon vulnerability

1 . First, we created a new GPO for our Domain Controller.

How to create a new GPO for our Domain Controller.

2. Set the “Domain controller: Allow vulnerable Netlogon secure channel connections” to “Deny.”

      • Note the warning: Windows Security warning
      • What the Security Descriptor looks like post clicking “Yes.” What the Security Descriptor looks like post clicking “Yes.”

Supporting Log Messages of Setting to Deny Examples:

Windows Security vendor message ID 5136

MPE Rule Name            EVID 5136 : Directory Service Obj Modified

Object cn={25b7cac1-79ec-4d12-b66f-c2d79e57cb42},cn=policies,cn=system,DC=bcDonuts,DC=local

Vendor Info      Directory Service Changes

Windows Security vendor message ID 4657

MPE Rule Name            EVID 4657 : Registry Value Modified

Object vulnerablechannelallowlist

Object Name     \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters

Vendor Info      Registry

LogRhythm Registry Integrity Monitor

MPE Rule Name            MODIFY

Object HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

Object Name     vulnerablechannelallowlist

Subject O:BAG:BAD:(D;;RC;;;BA)

Windows Security vendor message ID 5142

MPE Rule Name            EVID 5142 : Network Share Object Was Added

Object \\*\NETLOGON

Object Name     C:\Windows\SYSVOL\sysvol\bcDonuts.local\SCRIPTS

Third-Party Research or Advisories

A number of third parties have also performed research on ZeroLogon. The following is a synopsis of their findings, along with the reference to their research.

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

“To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.”

Advisory 2020-016: “Zerologon” – Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

https://www.cyber.gov.au/acsc/view-all-content/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472

“Event ID 4624; 4742– An account was successfully logged on, or A computer account was changed;

Events that contain the following fields should be assessed, and where possible diagnosed. Note that legitimate, legacy devices may utilize this functionality.

Security ID: ANONYMOUS LOGON

Account Name: ANONYMOUS LOGON

Account Domain: NT AUTHORITY”

“Note: A computer account change is not needed for the exploit to be successful. It is possible for multiple exploits to be chained together to trigger this vulnerability without requiring Domain Controller password modification.”

“If a system is patched, monitor:

Event ID 5827, 5828, and 5829 – Events related to insecure connection attempts that are denied;

Event ID 5830, and 5831 – Events related to insecure connection attempts that are successful.”

Azure Sentinel Insecure Protocols Workbook Implementation Guide

https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-insecure-protocols-workbook-implementation-guide/ba-p/1197564

“In this blog article, we’ll examine the Insecure Protocols Workbook (IP Workbook) and how, with minimal on-premise configuration, you can leverage its capabilities. In this article, I’ll provide the configuration instructions you need to successfully use the IP Workbook.”

Remediate Vulnerable Secure Channel Connections with the Insecure Protocols Workbook by Jon Shectman and Brian Delaney, Microsoft.

https://techcommunity.microsoft.com/t5/azure-sentinel/remediate-vulnerable-secure-channel-connections-with-the/ba-p/1611871

“Phase one, deployment, began on Aug 11. In this phase, secure Remote ProtoCol (RPC) is enforced for machine, trust and domain controller accounts. This phase also includes a new group policy object (GPO) and a registry key to manage configuration, and five new Event IDs.

These Event IDs are important for auditing and understanding of the issue. They are as follows:

Machine Events

5827 – Connection denied

5829 – Non-compliant (allowed during Deployment phase)

5830 – Allowed by policy

Trust Events

5828 – Connection denied

5831 – Allowed by policy”

“non-compliant machine connections will be denied by default and an Event ID 5827 will be logged”

From Lares Labs: Defensive Guidance for ZeroLogon (CVE-2020-1472)

https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/

“Event Code 5805

As highlighted by Samir here a 5805 event is generated when the Zerologon attack is performed. This log lives in the System log channel of a Windows host”

“Event Code 4624 + 4742

An event code 4624, followed by an event code of 4724 are also triggered when the exploit is executed.

Account_Name=”ANONYMOUS LOGON””

“Sysmon Event ID 3

Another detection technique for the Zerologon attack is to take advantage of the Sysmon NetworkConnect event combined with its powerful Rule syntax. An incoming network connection is made from the attacking machine to the victim Domain Controller to the LSASS process when the Zerologon event occurs”

Detecting CVE-2020-1472 (CISA ED 20-04) Using Splunk Attack Range By Rod Soto September 18, 2020

https://www.splunk.com/en_us/blog/security/detecting-cve-2020-1472-using-splunk-attack-range.html

“EventID 5152 (connections blocked) only appears if enabled by audit, and is caused by traffic sent from the attacking machine”

“EventID 4742 (A computer account was changed) event does not reveal specific signs of exploitation on its own, but it was found consistently across all operating systems we tested the exploit on (Windows 2008R2 Server, Windows 2012R2, Windows 2016 Server, and Windows 2019 Server)”

“EventID 4742 indicates a computer account was changed. Computer accounts in Active Directory are usually followed by a single dollar sign. This specific event shows Security ID: ANONYMOUS LOGON, Account Name: ANONYMOUS LOGON, and Account Domain: NT AUTHORITY.”

Microsoft Sysmon event ID 10 where process is lsass.exe, GrantedAccess=0x1010 or 0x1410.

Microsoft Sysmon event ID 7 ImageLoaded=*WinSCard.dll *cryptdll.dll *hid.dll *samlib.dll *vaultcli.dll, rename Computer as dest

“5805 (System – Netlogon) has also been referenced as part of this attack.”

LogRhythm MITRE ATT&CK References:

AI Engine Vendor Message ID (Event IDs) and Log Source Types

On the attacker system (Windows 10), the following AI Engine (AIE) events were observed:

AIE Rule AIE Module Log Source Type and Vendor Message ID (Event ID)
AIE: Credential Access : Credential Dumping MITRE ATT&CK LogRhythm Process Monitor (Windows): START

MS Windows Event Logging XML – Security: 4688

MS Windows Event Logging XML – Sysmon 8…: 1, 10

AIE: Discovery : Remote System Discovery MITRE ATT&CK MS Windows Event Logging XML – Security: 4663, 4688

MS Windows Event Logging XML – Sysmon 8…:1, 10

AIE: Lateral Movement : Pass the Hash MITRE ATT&CK MS Windows Event Logging XML – Security: 4624

On the victim system (Windows Server 2019), the following AIE events were observed:

AIE Rule AIE Module  
AIE: Lateral Movement : Windows Admin Shares MITRE ATT&CK MS Windows Event Logging XML – Security: 5140
AIE: Lateral: Password Modified by Admin MITRE ATT&CK MS Windows Event Logging XML – Security: 4724

Looking for other tips and resources? Read more technical posts like this from the LogRhythm Labs team.