CONTACT US
forrester wave report 2023

Forrester rates Corelight a strong performer

GET THE REPORT

ad-nav-crowdstrike

Corelight now powers CrowdStrike solutions and services

READ MORE

ad-images-nav_0013_IDS

Alerts, meet evidence.

LEARN MORE ABOUT OUR IDS SOLUTION

ad-images-nav_white-paper

5 Ways Corelight Data Helps Investigators Win

READ WHITE PAPER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

ad-nav-NDR-for-dummies

NDR for Dummies

GET THE WHITE PAPER

video

The Power of Open-Source Tools for Network Detection and Response

WATCH THE WEBCAST

ad-nav-ESG

The Evolving Role of NDR

DOWNLOAD THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-ndr-winter-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Detecting Zerologon (CVE-2020-1472) with Zeek

CVE-2020-1472 aka Zerologon, disclosed by Tom Tervoort of Secura, is an illustrative case study of how a small implementation mistake in cryptographic routines cascades into a privilege escalation vulnerability that allows an attacker to change the password of any unpatched Active Directory domain controllers to which they have network access. Upon successful exploitation, the attacker is free to alter additional credentials, escalate to the level of a domain admin, and move laterally to other machines in the domain. At a high level, the encryption scheme as implemented has a 1/256 chance of encrypting a plaintext message of all zeroes to a ciphertext message of all zeroes, which eventually leads to setting a zero length password. If this sounds as interesting to you as it was to me, I’d recommend reading the more in-depth technical report also from Secura.

To assist, we’ve open sourced a Zeek package that detects both attempted and successful exploits. Using Secura’s excellent, defanged proof-of-concept Python tool, we generated sample PCAPs for unsuccessful and successful attacks on both Windows Server 2016 and 2019 domain controllers. I would be remiss if I didn’t also mention these techniques for detection: Sigma rule by SOCPrime, and Splunk by Shannon Davis. These served as inspiration for the Zeek package.

There are fully functional exploit tools for this CVSS 10.0 rated vulnerability already floating around publicly, so I recommend reading Microsoft’s support guide entry, patching your domain controllers, and looking for signs of historic exploitation attempts in your logs, and looking for future attempts with this Zeek package.

We always appreciate feedback on your experience with using the package, or any suggestions for improvements.

#CVE-2020-1472 #CVSS10 #Zerologon #Netlogon #Zeek #LateralMovement

 

Recent Posts