Indicators

The branded Zerologon vulnerability is related to a critical vulnerability (CVE-2020-1472) in Windows Server that has received a CVSS score of 10.0 from Microsoft. It consists of an elevation of privileges that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). This vulnerability allows attackers to compromise a domain and acquire domain administrators privileges.

DCShadow is another late-stage kill chain attack that allows an attacker with privileged credentials to register a rogue domain controller in order to push arbitrary changes to a domain via domain replication (for example applying forbidden sidHistory values).

DNS zone transfer is a legitimate feature to replicate a DNS zone from a primary DNS server to a secondary one, using the AXFR query type. However, attackers often abuse this mechanism during the reconnaissance phase in order to retrieve all DNS records, providing them valuable information for attacking the environment. In particular, a successful DNS zone transfer can give an attacker useful information about the computers listed in the DNS zone, how to access them and also guessing their roles. Note that failed zone transfer (ex. not having the necessary rights, zone transfer not configured on the server, etc.) are also detected.

The local Administrators group was enumerated with SAMR RPC interface, more than likely with BloodHound/SharpHound.

The critical CVE-2020-1472 named as Zerologon is an attack that abuses a cryptography flaw in the Netlogon protocol, allowing an attacker to establish a Netlogon secure channel with a domain controller as any computer. From there, several post exploitation techniques can be used to achieve privilege escalation, such as domain controller account password change, coerced authentication, DCSync attacks, and others. The ZeroLogon exploit is often mistaken with the post exploitation activities using the actual Netlogon spoofed authentication bypass (addressed by the IOA 'Zerologon Exploitation'). This indicator focuses on one of the post exploitation activities that can be used in conjunction with the Netlogon vulnerability: the modification of the domain controller machine account password.

The critical CVE-2021-42287 can lead to an elevation of privileges on the domain from a standard account. The flaw arises from bad handling of requests targeting an object with a nonexistent sAMAccountName attribute. The domain controller automatically adds a trailing dollar sign ($) to the sAMAccountName value if it doesn't find one, which can lead to the impersonation of a targeted computer account.

After a user logs on, attackers can attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS).

NTDS exfiltration refers to the technique that attackers use to retrieve the NTDS.dit database. This file stores Active Directory secrets such as password hashes and Kerberos keys. Once accessed, the attacker parses a copy of this file offline, providing an alternative to DCSync attacks for retrieval of the Active Directory's sensitive content.

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords - also known as the low-and-slow method

PetitPotam tool can be used to coerce authentication of the target machine to a remote system, generally to perform NTLM relay attacks. If PetitPotam targets a domain controller, an attacker can authenticate to another network machine relaying the domain controller's authentication.

Shows potential misconfigurations of domain service accounts.

Checks that there are no duplicated (conflicting) users, computers, or groups.

Detects Shadow Credentials backdoors and misconfigurations in the "Windows Hello for Business" feature and its associated key credentials.

Checks that the built-in guest account is disabled.

Ensures Managed Service Accounts (MSAs) are deployed and well configured.

Checks that privileged Active Directory user accounts are not synchronized to Microsoft Entra ID.

A step-by-step guide on the configuration of an authentication silo for privileged (Tier-0) accounts.

Checks that the DNS server configuration disallows unsecure dynamic DNS zone updates.

Lists the misconfigured parameters related to Windows Server Update Services (WSUS).

Checks for the integrity of property sets and validates permissions