[Solved] LSASS Credential Dumping and the ZeroLogon Vulnerability (CVE-2020-1472)

in 16:9 ratio. dont write text on it

Understanding LSASS Credential Dumping and the ZeroLogon Vulnerability (CVE-2020-1472)

 

Introduction

Credential theft and lateral movement are key tactics employed by threat actors in modern cyberattacks. LSASS (Local Security Authority Subsystem Service) credential dumping, combined with vulnerabilities like CVE-2020-1472 (commonly known as ZeroLogon), creates a potent attack vector. This blog delves into the ZeroLogon vulnerability, its implications for LSASS credential dumping, affected systems, and detailed mitigation strategies, including step-by-step fixes and PowerShell scripts.

 

What is LSASS Credential Dumping?

LSASS is a critical Windows process responsible for enforcing security policies and handling user logins, password changes, and access tokens. Credential dumping from LSASS involves extracting stored authentication data such as usernames, password hashes, and Kerberos tickets. Attackers can use tools like Mimikatz to extract these credentials, enabling lateral movement across a network.

 

What is CVE-2020-1472 (ZeroLogon)?

CVE-2020-1472, or ZeroLogon, is a critical elevation of privilege vulnerability discovered in Microsoft’s Netlogon Remote Protocol (MS-NRPC). Exploiting this flaw allows attackers to impersonate any computer, including the domain controller, without requiring authentication. This can lead to complete domain compromise, enabling LSASS credential dumping and further attacks.

 

Technical Details

The vulnerability stems from an implementation flaw in the cryptographic authentication mechanism of MS-NRPC. During the Netlogon handshake, a predictable sequence of zeros can be used to establish a connection without proper authentication.

By exploiting ZeroLogon, an attacker can:

 

Reset the password of the domain controller’s computer account.

Gain administrative privileges.

Perform LSASS credential dumping to harvest additional credentials.

 

Affected Operating Systems

The ZeroLogon vulnerability affects:

Windows Server 2008 R2 SP1

Windows Server 2012

Windows Server 2012 R2

Windows Server 2016

Windows Server 2019

Windows Server (20H2 and later)

 

Note: Although the primary target is domain controllers, other systems communicating with the domain controller using MS-NRPC are indirectly affected.

 

How to Fix the Vulnerability

 

Step 1: Apply Microsoft Security Patches

Microsoft released patches addressing CVE-2020-1472 in August 2020. These updates ensure that Netlogon uses secure RPC for all communication. Ensure all domain controllers and affected systems are updated to the latest security patches.

Download the appropriate updates from Microsoft’s Security Update Guide.

Deploy the patches across your environment using Windows Update, WSUS, or SCCM.

 

Step 2: Enable Enforcement Mode

Microsoft’s fix introduces an enforcement mode for Netlogon. This mode ensures that non-compliant devices using insecure RPC are denied access.

 

Verify enforcement mode status:

Open Event Viewer and navigate to Applications and Services Logs > Microsoft > Windows > Netlogon > Operational.

Look for events with ID 5827, 5828, or 5829, indicating non-compliant device connections.

 

Enable enforcement mode:

Enforcement mode will be enabled by default starting February 2021. Before this, administrators can enable it manually by editing the registry or using Group Policy.

Step 3: Registry Fix for Enforcement Mode

Follow these steps to manually enable enforcement mode using the Windows Registry:

Open the Registry Editor:

Press Win + R, type regedit, and press Enter.

Navigate to the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Add or modify the following registry value:

Name: FullSecureChannelProtection

Type: REG_DWORD

Value: 1

Restart the Netlogon service:

Open Command Prompt as Administrator.

Run the command:

net stop netlogon && net start netlogon

 

Step 4: Validate the Fix

Use tools like nltest to test secure channel connections:

nltest /sc_verify:

Ensure that no non-compliant connections are reported in the Netlogon Operational logs.

 

PowerShell Script to Fix the Vulnerability

To automate the registry fix and ensure enforcement mode is enabled, use the following PowerShell script:

 

# PowerShell Script to Enable Netlogon Enforcement Mode
# Check if running as Administrator
if (-not ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] “Administrator”)) {
Write-Host “Please run this script as Administrator.” -ForegroundColor Red
exit
}

# Define registry path and value
$registryPath = “HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters”
$registryName = “FullSecureChannelProtection”
$registryValue = 1

# Check if the registry key exists
if (-not (Test-Path $registryPath)) {
Write-Host “Netlogon registry path not found.” -ForegroundColor Yellow
exit
}

# Set the registry value
try {
Set-ItemProperty -Path $registryPath -Name $registryName -Value $registryValue
Write-Host “Netlogon enforcement mode enabled successfully.” -ForegroundColor Green

# Restart the Netlogon service
Restart-Service -Name “Netlogon” -Force
Write-Host “Netlogon service restarted.” -ForegroundColor Green
} catch {
Write-Host “Error enabling Netlogon enforcement mode: $_” -ForegroundColor Red
}

 

Additional Mitigation Measures

 

Restrict LSASS Access:

Enable Credential Guard to prevent unauthorized LSASS access.

Use Windows Defender Exploit Guard to block credential dumping tools.

 

Monitor for ZeroLogon Exploitation:

Set up alerts for Event ID 5829, which indicates a failed Netlogon connection using insecure RPC.

 

Audit and Harden Accounts:

Rotate domain controller passwords regularly.

Limit administrative privileges.

 

Network Segmentation:

Isolate critical infrastructure, such as domain controllers, to minimize exposure.

 

Conclusion

CVE-2020-1472, or ZeroLogon, highlights the critical need for timely patching and robust security practices. By understanding the vulnerability, updating systems, and enforcing secure configurations, organizations can mitigate the risk of LSASS credential dumping and other related attacks. Use the provided step-by-step registry fix and PowerShell script to enhance your defense against this critical vulnerability. Stay vigilant and proactive to protect your network.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top