Cynet has announced the Zerologon Analysis & Detection Tool in response to the Zerologon vulnerability, also known as CVE-2020-1472.
According to Cynet, Zerologon continues to be a threat even after the availability of the Microsoft patch as exploits may have impacted Windows Server environments prior to implementing the prescribed updates. Moreover, Zerologon continues to be actively exploited as many organizations have not yet implemented the patch because of the expected disruption to IT operations.
Zerologon is a potentially dangerous authentication bypass vulnerability that permits cyber-criminals to exploit the Windows Server Netlogon Remote Protocol (MS-NRPC) authentication process. To support security professionals in managing this threat, Cynet has released the free Zerologon Analysis & Detection Tool which determines if a Zerologon exploit was executed in the user’s IT environment. It is essential that administrators address exploits quickly as they can lead to devastating breaches and system disruption.
One of the cryptographic components that facilitates the Zerologon vulnerability is AES-CFB8 Encryption. This encryption has been implemented in an unsecure way, and as result, creates the vulnerability. Cynet 360 customers already have detection mechanisms in place for vulnerabilities and exploits such as this and many other attacks. Due to the magnitude and potential impact of this vulnerability, Cynet is now releasing two detection mechanisms for the wide community that provides visibility of exploits targeting the Zerologon vulnerability.
The first of these detection mechanisms is the YARA rule, which can be used to scan memory dumps of lsass.exe. The rule will alert upon detection of Mimikatz or other Zerologon exploits. The second detection mechanism is an executable file, Cynet.ZerologonDetector.exe, which detects spikes in network traffic of lsass.exe from a given IP. The YARA rule can detect attacks that occurred prior to its deployment and provides an indication after detecting a Zerologon exploitation.
Cynet’s free detection tool is non-intrusive, the company says, and based on Event Tracing for Windows (ETW) from Microsoft.