IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Microsoft Defender for Identity can now detect Zerologon exploits

The update will help SecOps teams find and mitigate attacks using the authentication bypass flaw

Microsoft has updated its Microsoft Defender for Identity programme to detect Zerologon exploits, enabling SecOps teams to detect attacks using this vulnerability.

The Zerologon flaw is authentication bypass flaw in the Netlogon Remote Protocol (MS-NRPC) that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

"Microsoft Defender for Identity can detect this vulnerability early on," said Microsoft program manager Daniel Naim in a blog post. "It covers both the aspects of exploitation and traffic inspection of the Netlogon channel."

Alerts will be displayed to enable admins to identify the device that attempted the impersonation, the domain controller, the targeted asset, and whether the impersonation attempts were successful.

"Finally, customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint," Naim added.

"This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation."

Microsoft has known about the Netlogon flaw since August when it released an update for domain controllers.

MSRC VP of Engineering Aanchal Gupta said in a blog post that the company “strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability.”

In an advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) advised agencies in the country to “immediately apply the Windows Server August 2020 security update to all domain controllers”.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Microsoft launches low-code Power Pages for 'intuitive' web development
web development

Microsoft launches low-code Power Pages for 'intuitive' web development

24 May 2022
Windows 11's nifty new search feature has one major downside
Microsoft Windows

Windows 11's nifty new search feature has one major downside

23 May 2022
Microsoft says it's provided over $100 million in tech support to Ukrainian government
cyber attacks

Microsoft says it's provided over $100 million in tech support to Ukrainian government

20 May 2022
Microsoft to double salary budget to retain workers
Careers & training

Microsoft to double salary budget to retain workers

17 May 2022

Most Popular

Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022
Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022