How to detect CVE (2020-1472) and enrich data / track malicious activity using Alsid
| Use case | Detect CVE (2020-1472) and enrich data / track malicious activity using Alsid |
| Nature | Contextual setup |
| Component | Web interface |
| Version impacted | Before 2.8.0 |
| Solution offered | Modus operandi |
| Ressources | This article |
Use case description:
Useful before 2.8.0 version
The CVE (2020-1472) has been published. Alsid recommends applying Microsoft's recommendation and detecting signs of suspicious activity with Alsid for AD.
Description from: portal.msrc.microsoft.com
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472.
When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Modus operandi:
How and where
With Alsid for AD, you can Track changes that occurs on your DCs and RODCs (look for account change related activity) by setup a Syslog Alert with a Trailflow query:
Targets of this CVE: Domain Controller (Primary Group Id 516) ReadOnly Domain Controller (Primary Group Id 521) Enterprise ReadOnly Domain Controller (Primary Group Id 498)
1. Setup your Syslog Alert with this Trailflow query syntax to detect modifications on Domain controllers objects:
'primaryGroupId:521 OR primaryGroupID:498 OR primaryGroupID:516' In this menu: Web Interface \ System \ Configuration \ Alerting Engine \ Syslog
This allows you to capture DC linked events
2. On your SIEM, define your request* to filter the results from Alsid for AD to extract failed authentication:
(*The following examples are provided based on Splunk, QRadar, Sentinell. The query can be modified based on your SIEM provider, check with your SIEM integrator or contact your dedicated Alsid CSM)
- Splunk:
(source="WinEventLog:Security" (EventCode="4742") (TargetUserName="*$") ((SubjectUserName="*anonymous*") OR (SubjectUserSid="*S-1-0*")))- Qradar:
SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log' and ("EventID" = '4742') and ("TargetUserName" ilike '%$') and (("SubjectUserName" ilike '%anonymous%') or ("SubjectUserSid" ilike '%S-1-0%')))- Sentinel:
SecurityEvent | where ((EventID == 4742) and (TargetUserName endswith '$') and ((SubjectUserName contains 'anonymous') or (SubjectUserSid contains 'S-1-0')))
3. Other use case: you can track Microsoft System events id 5805 and 5723 (Netlogon Events) to identify Mimikatz Activity:
- Splunk:
(source="WinEventLog:System" (EventCode="5805" OR EventCode="5723") "mimikatz")- Qradar:
SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log' and ("EventID" = '5805' or "EventID" = '5723') and search_payload ilike '%mimikatz%')- Sentinel:
Event | where ((EventID == 5805 or EventID == 5723) and * contains 'mimikatz')
That's it! Please don't hesitate to share your queries and findings with the Alsid community.
Add New Comment