{"id":4725,"date":"2021-02-16T16:32:16","date_gmt":"2021-02-16T14:32:16","guid":{"rendered":"https:\/\/www.laurentmarot.fr\/wordpress\/?p=4725"},"modified":"2021-03-01T14:54:52","modified_gmt":"2021-03-01T12:54:52","slug":"zerologon-cve-2020-1472-et-splunk","status":"publish","type":"post","link":"https:\/\/www.laurentmarot.fr\/wordpress\/?p=4725","title":{"rendered":"Zerologon (CVE-2020-1472) et Splunk"},"content":{"rendered":"

Plut\u00f4t que de lire des b\u00eatises sur Silicon.fr et son code fantaisiste 4272<\/a>, jetez plut\u00f4t un \u0153il sur l’article de blog de Secura : Instantly Become Domain Admin by Subverting Netlogon Cryptography<\/a> ou t\u00e9l\u00e9chargez le rapport Zerologon by Secura<\/a><\/p>\n

\"Zerologon<\/a>

Zerologon by secura<\/p><\/div>\n

Autres sources d’inspiration:<\/p>\n

la base : le site de l’ANSSI<\/a> qui explique :<\/p>\n

Il est possible, dans certaines conditions, de d\u00e9tecter une tentative d’exploitation qui aurait pu subvenir avant application du correctif de Microsoft, gr\u00e2ce aux journaux g\u00e9n\u00e9r\u00e9s par Windows.<\/em><\/p>\n

Pour cela, la politique d’audit \u00ab\u00a0Gestion du compte > Auditer la gestion des comptes d’ordinateur\u00a0\u00bb [2] doit \u00eatre activ\u00e9e sur les contr\u00f4leurs de domaine. Les \u00e9v\u00e9nements \u00ab\u00a0Un compte d’ordinateur a \u00e9t\u00e9 modifi\u00e9\u00a0\u00bb, dont l’identifiant est 4742, sont ainsi g\u00e9n\u00e9r\u00e9s dans le journal de s\u00e9curit\u00e9.<\/p>\n

De tels \u00e9v\u00e9nements sont g\u00e9n\u00e9r\u00e9s de mani\u00e8re l\u00e9gitime lorsqu’un compte d’ordinateur renouvelle son mot de passe. N\u00e9anmoins, l’attaque Zerologon conduit aux sp\u00e9cificit\u00e9s suivantes :<\/p>\n

le champ SubjectUserName est \u00ab\u00a0ANONYMOUS LOGON\u00a0\u00bb ;
\nle champ TargetUserName est le compte machine d’un contr\u00f4leur de domaine.<\/p>\n

Zerologon Detection (CVE-2020-1472)<\/a> qui propose la r\u00e8gle suivante : Primary Search for Local Domain Controller Exploitation by Zerologon<\/p>\n

index=\u00a0\u00bb<windows_index>\u00a0\u00bb (sourcetype=\u00a0\u00bb<windows_sourcetype_security>\u00a0\u00bb OR source=\u00a0\u00bbwindows_source_security\u00a0\u00bb) EventCode=\u00a0\u00bb4742″ OR EventCode=\u00a0\u00bb4624″ AND (src_user=\u00a0\u00bb*anonymous*\u00a0\u00bb OR member_id=\u00a0\u00bb*S-1-0*\u00a0\u00bb)
\n`comment(\u00ab\u00a0This looks for all 4624 and 4742 events under an ‘ANONYMOUS USER’, which are tied to the exploitation of Zerologon\u00a0\u00bb)`<\/span>
\n| eval local_system=mvindex(upper(split(user,\u00a0\u00bb$\u00a0\u00bb)),0)
\n`comment(\u00ab\u00a0This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the ‘$’, creating a new field, deriving the local_system name via the original user field [ie. user=’NameOfDC$’ would become local_system=’NameofDC’]\u00a0\u00bb)`<\/span>
\n| search host=local_system
\n`comment(\u00ab\u00a0A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action\u00a0\u00bb)`<\/span>
\n| table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain<\/p>\n

\n

Ressources compl\u00e9mentaires :<\/p>\n

<\/a>ZeroLogon testing script<\/a><\/h1>\n

A Python script that uses the Impacket library to test vulnerability for the Zerologon exploit (CVE-2020-1472).<\/p>\n

It attempts to perform the Netlogon authentication bypass. The script will immediately terminate when successfully performing the bypass, and not perform any Netlogon operations. When a domain controller is patched, the detection script will give up after sending 2000 pairs of RPC calls and conclude the target is not vulnerable (with a false negative chance of 0.04%).<\/p>\n

 <\/p>\n\n","protected":false},"excerpt":{"rendered":"

Plut\u00f4t que de lire des b\u00eatises sur Silicon.fr et son code fantaisiste 4272, jetez plut\u00f4t un \u0153il sur l’article de blog de Secura : Instantly Become Domain Admin by Subverting Netlogon Cryptography ou t\u00e9l\u00e9chargez le rapport Zerologon by Secura Autres sources d’inspiration: la base : le site de l’ANSSI qui explique : Il est possible, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[47],"tags":[],"_links":{"self":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4725"}],"collection":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4725"}],"version-history":[{"count":7,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4725\/revisions"}],"predecessor-version":[{"id":4755,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/4725\/revisions\/4755"}],"wp:attachment":[{"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4725"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.laurentmarot.fr\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}