Microsoft Defender for Identity Alert Details
Alert ID: MDI-EXPLOIT-1212-7842 Alert Time: 2024-02-22 10:30:15 EST Severity: CRITICAL (95/100) Source: Microsoft Defender for Identity Rule: “Suspicious ZéroLogon Attempt Detected (CVE-2020-1472)” MITRE ATT&CK: T1212 – Exploitation for Credential Access
Alert Details:
Detection: Possible ZéroLogon exploit attempt against domain controller
Target: DC-02 (Secondary Domain Controller) Time: 10:25 EST
Exploit Details:
Vulnerability: CVE-2020-1472 (ZéroLogon)
CVSS Score: 10.0 (Critical)
Affected Protocol: Netlogon (MS-NRPC)
Exploit Attempts: 2,500+ in 2 minutes
Netlogon Anomalies:
Multiple Netlogon requests with zeroed computer account credentials
Requests for computer account: DC-02$ (domain controller account)
Attempts to reset computer account password
Pattern matches ZéroLogon exploit (privilege escalation to domain admin)
Detection Logic:
2,500+ Netlogon requests in short time (anomalous)
All requests use zeroed credentials (exploit signature)
Targeting domain controller computer account
Attempts to change password without authentication
Additional Context:
ZéroLogon allows attacker to gain domain admin privileges
Exploit targets Netlogon protocol
Successful exploitation gives attacker control of domain
Patch available (August 2020) – host may be unpatched
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed ZéroLogon exploit attempts
2. Immediate Action
Block attacker IP
Firewall, Network ACLs
Attacker IP 185.143.221[.]89 blocked
3. Patch Verification
Check if DC-02 is patched
SCCM, Windows Update
DC-02 MISSING critical patch (CVE-2020-1472)
4. Apply Patch
Deploy emergency patch
SCCM, Windows Update
Patch applied immediately
5. Exploit Check
Verify if exploit succeeded
Event Logs, MDI
Exploit attempts detected; no success (patched)
6. Threat Hunting
Check for similar attempts
MDI, Splunk
No other exploit attempts found
Jira Incident Report
Ticket: SOC-2024-115 Summary: T1212 – ZéroLogon Exploit Attempt Against Unpatched Domain Controller Status: RESOLVED Resolution: MALICIOUS – Exploit Blocked, Patch Applied Priority: P1 – CRITICAL Labels: T1212, exploitation, credential-access, zerologon, mdi, cve-2020-1472 Components: Vulnerability-Management, Domain-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspicious ZéroLogon Attempt Detected (CVE-2020-1472)”.
Target: DC-02 (Secondary Domain Controller).
Attacker IP: 185.143.221[.]89.
Time: 2024-02-22 10:30 EST.
Technique: MITRE ATT&CK T1212 – Exploitation for Credential Access.
2. Technical Analysis:
Exploit Details:
Vulnerability: CVE-2020-1472 (ZéroLogon)
CVSS: 10.0 (Critical)
Affected: Netlogon protocol (MS-NRPC)
Impact: Attacker can become domain admin without credentials
Attack Attempt:
10:25-10:27 – 2,500+ Netlogon requests from 185.143.221[.]89
Requests targeted DC-02$ computer account
All requests used zeroed credentials (exploit signature)
Attempts to reset computer account password
Pattern: Standard ZéroLogon exploitation
System Status:
DC-02 was MISSING patch KB4565349 (August 2020)
Vulnerability present for 3.5 years
Exploit would have succeeded if not detected
Exploit Success Criteria:
Attacker needs to send 2,500+ requests (probability of success increases)
After ~2,500 attempts, password reset succeeds
Attacker can then use computer account to authenticate as domain admin
3. Investigation Findings:
Timeline:
10:25 – Exploit attempts begin
10:27 – 2,500+ attempts completed
10:27 – MDI detects anomalous pattern
10:30 – Alert triggers
10:32 – SOC investigates
10:33 – Attacker IP blocked
10:35 – Patch verification (found missing)
10:40 – Emergency patch applied
10:45 – System rebooted
Indicators of Compromise (IoCs):
Network:
– Attacker IP: 185.143.221[.]89
– Protocol: Netlogon (MS-NRPC)
– Pattern: 2,500+ requests with zeroed credentials
Vulnerability:
– CVE-2020-1472 (unpatched until 10:40)
4. Containment Actions:
Immediate Actions:
Blocked attacker IP at firewall.
Isolated DC-02 temporarily.
Verified exploit did not succeed (event logs).
Patch Remediation:
Applied KB4565349 (emergency patch).
Rebooted DC-02.
Verified patch installed.
Enterprise-Wide Actions:
Scanned all domain controllers for missing patch.
Found 2 additional DCs missing patch (applied).
Verified all domain controllers patched.
5. Root Cause Analysis:
Primary Cause: Missing critical security patch (3.5 years unpatched).
Contributing Factors:
Patch management failure (missed critical updates).
No vulnerability scanning for domain controllers.
No network segmentation limiting Netlogon access.
6. Business Impact:
Operational Impact: DC-02 offline for 30 minutes for patching.
Security Impact: Exploit detected and blocked before success.
Reputational Impact: Internal only.
7. Remediation & Prevention:
Completed Actions:
Patch applied.
Attacker blocked.
Other DCs verified.
Technical Controls Enhanced:
Implemented mandatory patch compliance for all DCs.
Deployed vulnerability scanning (Qualys) for all critical systems.
Enabled Netlogon security fixes (enforce secure RPC).
Created alert for any ZéroLogon attempt.
8. Conclusion:
An attacker attempted to exploit the ZéroLogon vulnerability against an unpatched domain controller. MDI detected the exploit pattern and triggered an alert. The attacker was blocked before the exploit could succeed, and the missing patch was applied.
Closure Rationale: Patch applied; exploit blocked; attacker IP blocked.
Analyst: [Walter White], SOC Analyst Date: 2024-02-22 11:30 EST
End of Batch 15
Ready for your next batch of prompts whenever you are.
Batch 16: Discovery & Credential Access Incident Reports
Here are the next 5 detailed SOC incident reports.