Redscan Labs has released a Zerologon Detector tool that it claims will detect any evidence that your organisation has been compromised. News of the tools release, and its ability to detect previous infections, will be a welcome relief to some IT administrators.
Within hours of Zerologon being made public, Proof of Concept code began to appear. It has led to numerous warnings from Microsoft and organisations such as the Cybersecurity and Infrastructure Agency (CISA).
The Redscan Labs Zerologon Detector is designed to identify both successful and unsuccessful attacks. It does this by analysing the Windows event logs for evidence of attempts to exploit the flaw.
Who is the Redscan Zerologon Detector aimed at?
It doesn’t matter if you have patched, not patched or have servers that cannot be patched, anyone can use the Zerologon Detector. Redscan has made it free of charge, which means it can be downloaded and used as many times as a company wants. Importantly, it can also be run as a Windows Service. This allows it to run and detect attempts to exploit the vulnerability in real-time.
According to Redscan, the Detector looks for:
- An excessive number of Netlogon failure events targeting the machine account of the host it is running on (a Domain Controller) – this a sign that an attacker is trying to exploit the vulnerability
- A successful Netlogon to the machine account following the detection of the above, indicating a successful brute force attack has occurred – proof the attacker has the right credentials.
- Finally, the detector looks for new 4742 Windows Events (A computer account was changed) containing targeting the machine account, conducted via an anonymous login as conducted by Zerologon exploits – proof that the domain password has changed and the business was compromised
One of the outputs from the Detector is a file containing a list of all IP addresses that it believes were attempting to exploit Zerologon. Redscan says this allows all these to be blocked.
Enterprise Times: What does this mean?
Anything that helps detect attempts to exploit a critical vulnerability is to be welcomed. In the case of Zerologon, the problem is that not all servers have been, or can be, patched. Running the Detector as a Windows Service will provide real-time alerts that an attack is in progress. This will help organisations react to an attack and, tell them where they have unpatched servers.
With the seriousness of Zerologon, other security vendors will likely follow suit and issue their own detection tools.