Detecting Zerologon CVE-2020-1472 Using Exabeam Data Lake
Secura published a white paper on one of the critical vulnerabilities “zerologon” which scored 10/10 on the Common Vulnerability Scoring System (CVSS). Zerologon, also known as CVE-2020-1472, allows an attacker to gain a foothold on an internal Windows network by simply sending a number of Netlogon messages, filling various fields with zeros and changing the AD-stored password of a domain controller. The attack also exploits the insecure use of AES-CFB8 encryption.
What is Netlogon?
Netlogon is an authentication protocol that verifies users and services by way of a secure channel forged between a machine and a domain controller. In very simple terms, these are the steps required for NTLM domain authentication
- A client challenge is sent from the client
- A server challenge is sent from the server
- A session key is created from session secret and challenges
- Client and server use the previously made session key and challenges to create server/client credentials
- These credentials are used together with the session key to authenticate the user
Figure 1: Steps required for NTLM domain authentication.
How does the AES-CFB8 Authentication work?
During this authentication process, Windows Netlogon uses an insecure variant of the cipher feedback block (CFB) cipher mode of operation with AES. Generally, CFB mode is designed to encrypt 16-byte chunks of the plaintext. In order to encrypt the initial bytes of a message, an Initialization Vector (IV) must be specified to bootstrap the encryption process. This IV must be unique and randomly generated for each separate plain text that is encrypted with the same key. The computer Netlogon credential function, however, defines that IV is fixed and should always contain 16 zero bytes, thus violating the requirement for using AES-CFB8 because it is only secured when random IVs are used. This makes it possible for an attacker to authenticate via Netlogon with no knowledge of the domain password. By repeatedly authenticating to the system with an all-zero challenge, the attacker can trigger a probability that the shared secret encrypts the first byte of the challenge to a zero and hence generates the challenges to zero.
Figure 2: A model of the cipher feedback (CFB) mode encryption
How are attackers using it and what is the impact?
The attacker will try to compromise a domain-joined system first, in order to gain access to the environment. Then, the attacker will use that system to send crafted authentication requests to the DC.
Possible attack vectors include:
- Credential Compromise: An attacker can extract user account credentials for offline password cracking.
- Domain Administrator Access: With Domain Administrator access, an attacker can get full control of the network.
- Credential Stuffing: Attackers can use the domain password to brute force against other sensitive accounts like social media, bank accounts, etc.
- Deploy Malware/Keylogger: Attackers can use ransomware, keylogger, or any other malware to harm the users on the network.
Zerologon MITRE ATT&CK mapping
There are some of the MITRE ATT&CK techniques mapped to Zerologon. These are related to the exploitation of resources over the network, or dumping credentials to obtain account information. Eventually these techniques are used to perform lateral movement and access restricted or sensitive data.
- T1203 Exploitation for Client Execution
- T1210 Exploitation of remote services
- T1003 OS Credential Dumping
Zerologon detection by Exabeam
There are multiple ways to detect Zerologon since there are multiple artifacts that can be found in the logs. Before we move onto detection, remember to make sure you enable these logs in the environment. We’ve seen people miss the detection because they failed to capture the correct logs. Here is the list of events required for detection:
- 4742 (Account Management > Computer Account Management)
- 4624 (Logon/Logoff > Logon)
- 4724 (Account Management > User Account Management)
- 5827*, 5828* – Connection Denied
- 5829* – Connection Allowed
*These are only present if you have installed the latest Microsoft Updates on your DC (August 11)
If you need to run the script to test it under your environment, please make sure to run on a test environment to get the detection artifacts. Although Secura provides a reset script, it is recommended to run it in a controlled environment. You can access the POC provided by Secura from here. After successful exploitation, you will see this output on your Kali machine. Use a tool like mimikatz to pass the hash and get a hold of the domain controller.
Figure 3: Sample output on a Kali machine after a successful exploit with the extracted hash indicated.
DETECTION CASE 1
After successful exploitation, the attacker will authenticate the DC account. This in turn will trigger 4624 events and the following artifacts:
- Account Name: DC computer name (ending with $) or anonymous logon
- Source Network Field: IP address of attacker’s machine (internal IP of the network)
- Authentication: NTLM
- Logon Type: 3
- Logon GUID: Null GUID
Figure 4: Microsoft Windows Event 4624, showing the logon session
Figure 5: Searching for event code 4624 in Exabeam Data Lake
This should be coupled with a 4742 event, which is an account change event. Here are the following artifacts to hunt in 4742:
- Account Name (Under Computer Account): DC computer name (ending with $)
- Account Name (Under Subject): Anonymous logon
- Source Network Field: IP address of attacker’s machine (Internal IP of the network)
- Authentication: NTLM
- Logon Type: 3
Figure 6: Microsoft Windows Event 4742, showing the account change activity .
DETECTION CASE 2
In our environment, we saw Netlogon failed attempts that were logged under the systems log. If you see 5805 Netlogon failed attempts at the same time stamps as the above-mentioned events, this needs to be investigated as it’s a strong indicator of Zerologon. Here are the artifacts:
Figure 7: Evidence of the artifacts from failed Netlogon attempts.
- 5805 Access denied events
- Parse the WIN-2GNIENR34HB (which is basically my system), it could be mimikatz by default.
DETECTION CASE 3
There is another detection using 4724 logs which can be combined with 4624 logon type 3 events to make the detection case stronger. In addition, you would see a 4776 log to validate the credentials for an account. Here are the artifacts:
- Logon Account: ends with $
Figure 8: Query to hunt for event 4776 and user ending with $.For 4624:
- Logon Type: 3
- Logon ID: Matches with 4724’s logon ID
- Account Name (Target Account): ends with $
- Logon ID: Matches with 4624’s logon ID
ADDITIONAL DETECTION CASE
There are Netlogon debug logs that are not enabled by default, but once enabled, you can see bad password requests in Netlogon debug files. These debug files are present under system 32 and you take a reference from here to enable it. Once you enable it, you can check debug file under C:\Windows\Debug\netlogon.log to see netrserverauthenticate calls. In the SIEM, we can track via the netrserverauthenticate field and searching for negot:212fffff (hex field provided in zerologon script).
Figure 9: Netlogon debug file that highlights NetrServerAuthenticate calls.
What is affected?
- Windows Server Version 2004
- Windows Server Version 1909
- Windows Server Version 1903
- Windows Server Version 2019
- Windows Server Version 2019
- Windows Server 2016
- Windows Server 2012
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
- Windows Server 2003 R2
How do you patch this?
Microsoft released a patch on August 11, 2020, and the full list of KB numbers per operating system can be found here.
In addition, Microsoft will be releasing updates on February 9, 2021, which will turn on DC enforcement mode. For the time being, once you patch the system, you can turn on these group policies to detect any attempts of Zerologon:
Computer Configuration > Windows Settings > Security Settings > Security Operations > Domain Controller: Allow vulnerable Netlogon secure channel connection
Zerologon is a critical vulnerability that has some serious impacts on Windows Servers. Without the need for any user credentials, an attacker is able to obtain admin level privileges and control any asset in the entire network. Since Microsoft has released the latest patch, Zerologon should not pose any critical threat and can be detected via Exabeam Data Lake and Smart Timelines.