Detecting Zerologon - more than event 5829

 Zerologon basics

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Most current client machines are already (or should already) be using secured RPC without any recent published patches… In other words, we can “Assume” that all our current connections are using Secured RPC already…

But this is security and we don't assume. This recent patch mandates the following:

  • DC Begin enforcing secure RPC usage for all Windows-based device accounts, trust accounts and all DCs.
  • Log event IDs 5827 and 5828 in the System event log, if connections are denied.
  • Log event IDs 5830 and 5831 in the System event log, if connections are allowed by "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
  • Log event ID 5829 in the System event log whenever a vulnerable Netlogon secure channel connection is allowed. These events should be addressed before the DC enforcement mode is configured or before the enforcement phase starts on February 9, 2021.

 

We need to be searching for event 5827-5831 , NOT JUST 5829, it will not log until post patching

28578-58291.png

"Mitigation consists of installing the update on all DCs and RODCs, monitoring for new events, and addressing non-compliant devices that are using vulnerable Netlogon secure channel connections. Machine accounts on non-compliant devices can be allowed to use vulnerable Netlogon secure channel connections; however, they should be updated to support secure RPC for Netlogon and the account enforced as soon as possible to remove the risk of attack"

 

Script from Microsoft for testing

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/test-computersecurechannel?view=powershell-5.1

 

Managing secure channel changes

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Note that February 2021 enforcement will be mandated in the scheduled patching, so with basic dashboards and reports now, we can help you find applications and machines that may need to be addressed or retired soon.

 

Please schedule time with Castra for assistance in detecting this and other concerns with your platform