Microsoft Defender for Identity can now detect Zerologon exploits

The update will help SecOps teams find and mitigate attacks using the authentication bypass flaw

A security flaw depicted by a padlock with bullet holes on a circuit board

Microsoft has updated its Microsoft Defender for Identity programme to detect Zerologon exploits, enabling SecOps teams to detect attacks using this vulnerability.

The Zerologon flaw is authentication bypass flaw in the Netlogon Remote Protocol (MS-NRPC) that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

"Microsoft Defender for Identity can detect this vulnerability early on," said Microsoft program manager Daniel Naim in a blog post. "It covers both the aspects of exploitation and traffic inspection of the Netlogon channel."

Alerts will be displayed to enable admins to identify the device that attempted the impersonation, the domain controller, the targeted asset, and whether the impersonation attempts were successful. "Finally, customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint," Naim added.

"This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation."

Microsoft has known about the Netlogon flaw since August when it released an update for domain controllers.

MSRC VP of Engineering Aanchal Gupta said in a blog post that the company “strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability.”

In an advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) advised agencies in the country to “immediately apply the Windows Server August 2020 security update to all domain controllers”.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

How LogPoint uses MITRE ATT&CK
Whitepaper

How LogPoint uses MITRE ATT&CK

15 Jan 2021
Microsoft unveils its new retail-focused cloud service
Cloud

Microsoft unveils its new retail-focused cloud service

14 Jan 2021
Microsoft more than doubles file size limit for SharePoint, Teams, and OneDrive
Microsoft Office

Microsoft more than doubles file size limit for SharePoint, Teams, and OneDrive

14 Jan 2021
Weekly threat roundup: Microsoft Defender, Adobe, Mimecast
vulnerability

Weekly threat roundup: Microsoft Defender, Adobe, Mimecast

14 Jan 2021

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
The fate of Parler exposes the reality of deregulated social media
Policy & legislation

The fate of Parler exposes the reality of deregulated social media

14 Jan 2021
Should IT departments to call time on WhatsApp?
communications

Should IT departments to call time on WhatsApp?

15 Jan 2021