Microsoft Defender for Identity can now detect Zerologon exploits

The update will help SecOps teams find and mitigate attacks using the authentication bypass flaw

Microsoft has updated its Microsoft Defender for Identity programme to detect Zerologon exploits, enabling SecOps teams to detect attacks using this vulnerability.

The Zerologon flaw is authentication bypass flaw in the Netlogon Remote Protocol (MS-NRPC) that allows an attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.

"Microsoft Defender for Identity can detect this vulnerability early on," said Microsoft program manager Daniel Naim in a blog post. "It covers both the aspects of exploitation and traffic inspection of the Netlogon channel."

Alerts will be displayed to enable admins to identify the device that attempted the impersonation, the domain controller, the targeted asset, and whether the impersonation attempts were successful. "Finally, customers using Microsoft 365 Defender can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint," Naim added.

"This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation."

Microsoft has known about the Netlogon flaw since August when it released an update for domain controllers.

MSRC VP of Engineering Aanchal Gupta said in a blog post that the company “strongly encourage anyone who has not applied the update to take this step now. Customers need to both apply the update and follow the original guidance as described in KB4557222 to ensure they are fully protected from this vulnerability.”

In an advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) advised agencies in the country to “immediately apply the Windows Server August 2020 security update to all domain controllers”.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Recommended

Microsoft hit with formal complaint over "monopolistic" software bundling
collaboration

Microsoft hit with formal complaint over "monopolistic" software bundling

29 Nov 2021
Gmail vs Outlook.com: Which one is better?
email providers

Gmail vs Outlook.com: Which one is better?

26 Nov 2021
Business customers can get 30% off the Surface Laptop Go for Black Friday 2021
Laptops

Business customers can get 30% off the Surface Laptop Go for Black Friday 2021

26 Nov 2021
Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign
malware

Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign

22 Nov 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

24 Nov 2021
What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
Nike to take customers into the metaverse with 'NIKELAND'
virtualisation

Nike to take customers into the metaverse with 'NIKELAND'

19 Nov 2021