Leave us a Message:

CVE-2020-1472 – ZeroLogon – Monitoring by SIEM

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email

SIEM Content Packages For CVE-2020-1472 – ZeroLogon By CyberSIEM

As you know, one of the most critical vulnerabilities has recently been published – ZeroLogon

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. (MITRE)

MITRE CVE-2020-1472

Before diving into details – We strongly recommend to patch your DC’s

Here’s the link for MSRC to download the relevant KB:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

We have tested the vulnerability, and we have built new content packages (ArcSight and QRadar) to identify the attack in real-time – before patching, we have also collected events from devices in an environment that is still attempting to use vulnerable netlogon – after patching.

 

A little bit about the process

We used this PoC for ZeroLogon:

https://github.com/dirkjanm/CVE-2020-1472

We ran the exploit from a machine in the domain to the DC:

And from the DC we got the combination of these two events at the same time:

  • NETLOGON
    • Event ID: 5805
    • Type: System
  • A computer account was changed
    • Event ID: 4742
    • Type: Security
    • Source User Name: Anonymous Logon

Where the computer account from the event 4742 equals to the device host name from the event 5805.

By this data we built the first part of the package that recognizes the attack – before patching.

 

The second part of the package is based on Windows’ recommendations and will function only after patching the DC’s – because the event ID’s we’re searching for will be generated in the DC only after the patch.

Based on this data, we built a mechanism that follows vulnerable Netlogon usage in an environment – most of the attempts should be blocked, unless there’s an approval by the GPO.

 

Download:

Our packages are available in these links – and will be frequently updated

  • The ArcSight package was last updated on 04.11.20:
    • We added a mapping file for the relevant windows logs and changed the resources package to match.
    • The file is available for download from the same path as the .arb package – named winc.zip.
    • Unzip the file and locate the folder using this path:
    • \current\user\agent\fcp\
    • If the ‘winc’ directory already exists, add only the files that do not exist.
  • The QRadar package was last updated on 08.10.20.

 

Download from GitHub:

https://github.com/cybersiem/CyberSIEM-IR/tree/master/CVE-2020-1472_ZeroLogon

Or download from this site:

ArcSight:

https://www.cybersiem.com/download/zerologon-arcsight/

QRadar:

https://www.cybersiem.com/download/zerologon-qradar/

 

Before Installing the Packages:

Add these specific System Events from the DC’s to the SIEM’s event collection

(most of the SIEM users are not collecting the system events, make sure you are adding these ones):

  • 5805, 5827, 5828, 5829, 5830, 5831

 

ArcSight Package Overview:

The rules have no actions except showing the collected events on the pre-configured dashboards.

Make sure to configure actions with the SIEM team.

 

QRadar Package Overview:

If it's the first installation, use this command:
/opt/qradar/bin/contentManagement.pl -a import -f <content file>
If it's an upgrade, use this command:
/opt/qradar/bin/contentManagement.pl -a update -f <content file>


 Rules (Rule Group Name – “ZeroLogon CVE-2020-1472”): 

There’s an explanation for each rule in the “Notes” section.

There is just one Offense Rule in the list – “ZeroLogon: Windows: Zerologon Attack Was Executed

The action for other rules is “Dispatch New Event

Building Blocks (Rule Group Name – “ZeroLogon CVE-2020-1472”): 

Saved Searches: 

Dashboard: 

The name of the Dashboard is “ZeroLogon”.

 


Important These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.


 

Maayan Shlomo – [email protected]

Michael Vashinsky – [email protected]

Share this post

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
Maayan Shlomo

Maayan Shlomo

Leave a Reply

About Us

We increase the security of organizational information and anticipate threats before they cause damage, and improve the level of protection of organizational information, by providing end-to-end SIEM solution.

Recent Posts

Skip to content