Skip to ContentSkip to Footer
News

Microsoft Defender for Identity can now detect Zerologon exploits

The update will help SecOps teams find and mitigate attacks using the authentication bypass flaw

by: Rene Millman
1 Dec 2020
A security flaw depicted by a padlock with bullet holes on a circuit board

Shutterstock

Microsoft has updated its Microsoft Defender for Identity programme to detect Zerologon exploits, enabling SecOps teams to detect attacks using this vulnerability.

The Zerologon flaw is authentication bypass flaw in the Netlogon Remote Protocol (MS-NRPC) that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

"Microsoft Defender for Identity can detect this vulnerability early on," said Microsoft program manager Daniel Naim in a blog post. "It covers both the aspects of exploitation and traffic inspection of the Netlogon channel."

Alerts will be displayed to enable admins to identify the device that attempted the impersonation, the domain controller, the targeted asset, and whether the impersonation attempts were successful. "Finally, customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint," Naim added.

"This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation."

Microsoft has known about the Netlogon flaw since August when it released an update for domain controllers.

MSRC VP of Engineering Aanchal Gupta said in a blog post that the company “strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability.”

In an advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) advised agencies in the country to “immediately apply the Windows Server August 2020 security update to all domain controllers”.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

Microsoft suspends Windows 365 trials
Microsoft Windows

Microsoft suspends Windows 365 trials

4 Aug 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Google, Microsoft fight over documents in antitrust lawsuit
Policy & legislation

Google, Microsoft fight over documents in antitrust lawsuit

30 Jul 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

UK gov considers blocking Nvidia's takeover of Arm
Acquisition

UK gov considers blocking Nvidia's takeover of Arm

4 Aug 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Preparing for AI-enabled cyber attacks
Whitepaper

Preparing for AI-enabled cyber attacks

22 Jul 2021
Skip to HeaderSkip to Content