Hunting for Zerologon

The Concept of the Zerologon Vulnerability

Zerologon Exploitation Stages

PoC and Exploits

Methods of Detection

Detection using the Netlogon debugging log

Example of events recorded in the Netlogon debugging log during exploitation of the Zerologon vulnerability

Detection of artifacts left by exploits

Event 5805. Error of session authentication from host kali. Access denied
Event 5723. Error setting up a session from the host mimikatz due to the absence of an evildc account in the security database

Detection, based on the differences between legitimate password changes and those caused by exploits

Event 4742. DC$ account password was changed at 5:46:34 PM
Event 5823. The password for the domain controller account was successfully changed by the system at 5:46:34 PM

Detecting exploitation based on network traffic

The traffic from Mimikatz version 2.2.0–20200916 when bypassing authentication
Encrypted traffic from Mimikatz version 2.2.0–20200918 when bypassing authentication
The traffic of the password reset request using the NetrServerPasswordSet2 method

Detecting artifacts in the LSASS address space

Example of a call to the hNetrServerAuthenticate3 function with the arguments transferred to it
Fragment of the lsass process address space dump with artifacts after Zerologon was exploited

Conclusions

--

--

--

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Smart Cities and Cybersecurity: Understanding the CIA Triad and Making Simple Changes to be more…

Malware & Botnets: Prevent your Wordpress getting hacked

The TeamPassword Story (so far)

MAGNETY TESTNET QUICK GUIDE

{UPDATE} Bladelords - La revolución de las luchas Hack Free Resources Generator

DARPA Drops A Bomb On Crypto’s Biggest Selling Point

Honeypot: Cape Town, South Africa

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

Modified Combinatory Affine Cipher

PicoCTF 2022 : Roboto Sans Challenge-WriteUp

Reproduction of CVE-2022–30190 Zero-day Vulnerability “Follina”

Privacy Awareness Week 2022: Data Protection as the foundation of trust — Privacy Ninja