Zerologon Detector can help you to determine whether your organisation has been compromised by attackers exploiting Netlogon flaw.
Zerologon (CVE-2020-1472) is a critical vulnerability in the Windows Server Netlogon process authentication process. Following our recent Security Advisory, immediate patching of the vulnerability is strongly advised.
To help determine whether your organisation has been compromised as a result of an attacker exploiting the vulnerability (even prior to a patch being installed), Redscan Labs has developed a Zerologon detection tool.
Zerologon Detector identifies attacks that have been successful and unsuccessful in exploiting Zerologon by analysing Windows event logs for evidence of the flaw being exploited – in real-time as well at any point over the last 30 days.
In the event that exploitation is determined, Zerologon Detector will provide a list of IP addresses for the most likely source of the attack. Any inbound and outbound communications to and from any IP addresses identified should be immediately blocked.
A brief overview of the tool from our Head of R&D Paul Sutton can be viewed below.
Zerologon Detector supports latest and legacy editions of Windows Server.
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
Please note the following technical dependencies when attempting to run and install Zerologon Detector 2.0:
- The app must be run with Administrator privileges, including permissions to query Windows Security event logs
- The app must be run on a domain controller with the Active Directory role installed
- The app can be installed as a service via InstallUtil (https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool). Note that the service is configured to start automatically on boot, it runs as Local System and requires starting after installation. Run directly with the “-h” for help and instructions (including copy and pastable commands) to install as a service.
The tool must be left in the directory it was installed from in order for the service to run. You may also need to unblock the tool by right-clicking and going into Properties, before clicking the “Unblock” button. We recommend putting it in a new folder such as “C:\temp”. If installed from a folder with a space in the path, ensure the service executable path is quoted after installation and write permissions are restricted.
- For the app to output a log file, a custom file path must be set
- The app uses built-in Windows functionality to monitor TCP and Netlogon telemetry in real-time. A threshold of three failed Netlogon attempt) is hard-coded to identify Zerologon exploitation. This cannot be changed as an exploit can be successful without any failure condition occurring during its bruteforce phase.
- Only Netlogon events targeting the machine account of the device the executable is run on are monitored. This should drastically reduce false positives
- Detection based on event logs rely on the advanced audit policy configuration for computer account management to be enabled for success events (https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-computer-account-management). Without this configuration the detector will only identify attacks being conducted in real-time based on TCP and Netlogon telemetry
- No outbound connections are made by the executable
- The application can be run in debug mode (-d flag) to troubleshoot
Zerologon Detector is a free tool to help organisations determine whether they may have been compromised by an attacker exploiting Zerologon. An unsuccessful result is no guarantee that a compromise has not occurred and Redscan highly recommends ensuring that networks and endpoints are closely monitored, even after a patch has been applied.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to install and use this Software for personal or business use. Redscan Cyber Security Limited reserve the sole right to modify, merge, publish, distribute, sublicense, and/or sell copies of the Software:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Copyright 2020 Redscan Cyber Security Limited
Have a question or request to help improve Zerologon Detector? Please feel free to get in touch with the Redscan Labs team.