Anatomy of a Hack: Hands-on Red Teaming with the “Zerologon” Netlogon Elevation of Privilege Vulnerability with Mimikatz Integration

Webinar Registration

In August, Microsoft announced the release of a patch to address an attacker’s ability to establish a Netlogon secure channel to a domain controller via the Netlogon Remote Protocol (MS-NRPC) under CVE-2020-1472. Using a weak cryptographic algorithm in Netlogon’s authentication process, the attacker is able to achieve an elevation in privileges by impersonating any account desired and have control over all of Active Directory. Windows Server OSes from Server 2008 through 2019 are vulnerable to this attack and require an immediate update.

Dubbed Zerologon, this vulnerability is only partially patched today, with Microsoft admittedly only addressing how the secure RPC channel encryption is established, leaving the enforcement of the secured channel to be handled manually today and required in an update to be released in February of 2021.

Weaknesses in Microsoft’s cryptography are nothing new; the Curveball vulnerability from earlier this year took advantage of Windows crypt32.dll to create false certificates allowing for websites, applications, and systems to appear trusted. Curveball’s success put the attacker’s focus squarely on Microsoft’s cryptography, with Zerologon being indicative that additional vulnerability was found.

Microsoft isn’t alone in this; cryptography is strong but many implementations are weak. It’s hard to do cryptography right.

Mimikatz already has integrated support for Zerologon, making the exploitation of domain controllers and identifying easily compromised credentials an even easier task for attackers.

In this Anatomy of a Hack session, I’ll discuss the details around the vulnerability, how it works, and what’s at risk.

We’re going totally hands-on and live with this one! The extremely smart Kevin Breen, Director Cyber Threat Research at Immersive Labs, will demonstrate how to use this attack in red teaming, using their hands-on training platform.

He’ll also discuss how to effectively perform blue team efforts, including:

Detection of non-compliance devices
Identification of denied connections (indicating a potential attempt)
What details are available to respond to suspected attacks

This real training for free event will be jam packed with technical detail and real-world application. Register today!

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Phone:	Required
Job Title:	Required
Organization:	Required
Country:	Required
State:	Required
Industry:	Required
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.