Hunting for Zerologon

The Concept of the Zerologon Vulnerability

Zerologon Exploitation Stages

PoC and Exploits

Methods of Detection

Detection using the Netlogon debugging log

Example of events recorded in the Netlogon debugging log during exploitation of the Zerologon vulnerability

Detection of artifacts left by exploits

Event 5805. Error of session authentication from host kali. Access denied
Event 5723. Error setting up a session from the host mimikatz due to the absence of an evildc account in the security database

Detection, based on the differences between legitimate password changes and those caused by exploits

Event 4742. DC$ account password was changed at 5:46:34 PM
Event 5823. The password for the domain controller account was successfully changed by the system at 5:46:34 PM

Detecting exploitation based on network traffic

The traffic from Mimikatz version 2.2.0–20200916 when bypassing authentication
Encrypted traffic from Mimikatz version 2.2.0–20200918 when bypassing authentication
The traffic of the password reset request using the NetrServerPasswordSet2 method

Detecting artifacts in the LSASS address space

Example of a call to the hNetrServerAuthenticate3 function with the arguments transferred to it
Fragment of the lsass process address space dump with artifacts after Zerologon was exploited

Conclusions

--

--

--

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Tren Conducción Juego 2k17 Hack Free Resources Generator

Lighthouse Filecoin-Ethereum Cross Chain Infra Project

Crypto — First Principles

Lottery system for NFT Getart’s chance to buy Cryptopunks for less than 50$ understand

Ravencoin — Forged in Fire — Security Update

GoDaddy goes phishing… with spoiled bait

Oopsie has been Pwned!

Hack The Box Oopsie

How to protect your web application: basic tips, tools, useful links

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

Cybersecurity Cockpit — A Pilot View

Tallin To Search More Churches — OSINT Challenge 14

Cyber Research #32

Investigating, prioritizing, and remediating thousands of hardcoded secrets incidents