{"id":92264,"date":"2020-11-30T09:00:20","date_gmt":"2020-11-30T17:00:20","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=92264"},"modified":"2023-08-07T16:13:11","modified_gmt":"2023-08-07T23:13:11","slug":"zerologon-is-now-detected-by-microsoft-defender-for-identity","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/","title":{"rendered":"Zerologon is now detected by Microsoft Defender for Identity"},"content":{"rendered":"<p>There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. <a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/security\/identity-defender\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Defender for Identity<\/a> along with other <a href=\"https:\/\/aka.ms\/m365d\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft 365 Defender<\/a> solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.<\/p>\n<h2>Here is a sneak peek into our detection lifecycle<\/h2>\n<p>Whenever a vulnerability or attack surface is disclosed, our research teams immediately investigate exploits and produce various methods for detecting attacks. This is highlighted in our response to suspected <a href=\"https:\/\/docs.microsoft.com\/en-us\/defender-for-identity\/compromised-credentials-alerts#suspected-wannacry-ransomware-attack-external-id-2035\" target=\"_blank\" rel=\"noopener noreferrer\">WannaCry<\/a> attacks and with the alert for <a href=\"https:\/\/docs.microsoft.com\/en-us\/azure-advanced-threat-protection\/lateral-movement-alerts#suspected-smb-packet-manipulation-cve-2020-0796-exploitation---preview-external-id-2406\" target=\"_blank\" rel=\"noopener noreferrer\">Suspected SMB (Server Message Block) packet manipulation<\/a> (CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.<\/p>\n<p>Over the past two months since CVE-2020-1472 was first disclosed, interest in this detection rapidly increased. This happened even if we did not observe any activity matching exploitation of this vulnerability in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanisms are built.<\/p>\n<p>This lack of activity changed on September 13, when we triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-92265 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/11\/s-1-1.png\" alt=\"Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020\" width=\"871\" height=\"495\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-1-1.png 871w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-1-1-300x170.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-1-1-768x436.png 768w\" sizes=\"auto, (max-width: 871px) 100vw, 871px\" \/><\/p>\n<p><em>Figure 1: Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13, 2020<\/em><\/p>\n<p>Microsoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-92266\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/11\/s-2-1.png\" alt=\"Alert page experience\" width=\"859\" height=\"438\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-2-1.png 859w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-2-1-300x153.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-2-1-768x392.png 768w\" sizes=\"auto, (max-width: 859px) 100vw, 859px\" \/><\/p>\n<p><em>Figure 2: Alert page experience<\/em><\/p>\n<p>With this Microsoft Defender for Identity alert, you will be able to identify:<\/p>\n<ul>\n<li>The device that attempted the impersonation.<\/li>\n<li>The domain controller.<\/li>\n<li>The targeted asset.<\/li>\n<li>Whether the impersonation attempts were successful.<\/li>\n<\/ul>\n<p>Finally, customers using <a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/security\/microsoft-365-defender\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft 365 Defende<\/a>r can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from <a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/security\/endpoint-defender\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Defender for Endpoint.<\/a> This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.<\/p>\n<h2>A close look at some of the earliest ZeroLogon attacks<\/h2>\n<p>ZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario, it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/microsoft-threat-experts\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Threat Experts<\/a> observed ZeroLogon exploitation activity in multiple organizations. In many cases, it was clear that the activity was originated from red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of a patch being available, were still running unpatched domain controllers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-92267\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/11\/s-3.png\" alt=\"Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale\" width=\"998\" height=\"594\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-3.png 998w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-3-300x179.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-3-768x457.png 768w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/p>\n<p><em>Figure 3: Typical Zerologon exploitation activity generated by a vulnerability scanner or a red team testing domain controller at scale<\/em><\/p>\n<p>One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.<\/p>\n<p>Using the @MsftSecIntel Twitter handle, we <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1308941504707063808\" target=\"_blank\" rel=\"noopener noreferrer\">publicly shared some file indicators<\/a> used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-92268\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/11\/s-4.png\" alt=\"Placeholder\" width=\"998\" height=\"239\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-4.png 998w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-4-300x72.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-4-768x184.png 768w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/p>\n<h2>Hunting for ZeroLogon in Microsoft 365 Defender<\/h2>\n<p>Combining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&amp;CK framework, and machine learning models.<\/p>\n<p>In this section, we provide an example (in the simplified form of an <a href=\"https:\/\/docs.microsoft.com\/en-gb\/microsoft-365\/security\/mtp\/advanced-hunting-overview?view=o365-worldwide\" target=\"_blank\" rel=\"noopener noreferrer\">advanced hunting query<\/a>) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing Security Operations Centers (SOC) fatigue and facilitating investigation.<\/p>\n<p>The following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-92269 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/11\/s-6.png\" alt=\"Placeholder\" width=\"998\" height=\"390\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-6.png 998w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-6-300x117.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/s-6-768x300.png 768w\" sizes=\"auto, (max-width: 998px) 100vw, 998px\" \/><\/p>\n<p>First, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.<\/p>\n<p><code>\/\/ Find all Netlogon exploit attempt alerts containing source devices<br \/>\nlet queryWindow = 3d;<br \/>\nAlertInfo<br \/>\n| where Timestamp &gt; ago(queryWindow)<br \/>\n| where ServiceSource == \"Azure ATP\"<br \/>\n| where Title == \"Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)\"<br \/>\n| join (AlertEvidence<br \/>\n| where Timestamp &gt; ago(queryWindow)<br \/>\n| where EntityType == \"Machine\"<br \/>\n| where EvidenceDirection == \"Source\"<br \/>\n| where isnotempty(DeviceId)<br \/>\n) on AlertId<br \/>\n| summarize by AlertId, DeviceId, Timestamp<\/code><\/p>\n<p>Next, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:<\/p>\n<p><code>\/\/ Find potential endpoint Netlogon exploit evidence from AlertId<br \/>\nlet NLAlertId = \"insert alert ID here\";<br \/>\nlet lookAhead = 1m;<br \/>\nlet lookBehind = 6m;<br \/>\nlet NLEvidence = AlertEvidence<br \/>\n| where AlertId == NLAlertId<br \/>\n| where EntityType == \"Machine\"<br \/>\n| where EvidenceDirection == \"Source\"<br \/>\n| where isnotempty(DeviceId)<br \/>\n| summarize Timestamp=arg_min(Timestamp, *) by DeviceId;<br \/>\nlet sourceMachine = NLEvidence | distinct DeviceId;<br \/>\nlet alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp));<br \/>\nDeviceNetworkEvents<br \/>\n| where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead))<br \/>\n| where DeviceId in (sourceMachine)<br \/>\n| where RemotePort == 135 or RemotePort between (49670 .. 49680)<br \/>\n| summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl<br \/>\n| project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl<\/code><\/p>\n<p>This query can return a result that looks like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-92276 size-full\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/wp-content\/uploads\/2020\/11\/Screenshot-125.png\" alt=\"\" width=\"631\" height=\"342\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/Screenshot-125.png 631w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/Screenshot-125-300x163.png 300w\" sizes=\"auto, (max-width: 631px) 100vw, 631px\" \/><\/p>\n<p>Tying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.<\/p>\n<h2>Defend against ZeroLogon<\/h2>\n<p>Learn more about the\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/azure-advanced-threat-protection\/compromised-credentials-alerts#suspected-netlogon-privilege-elevation-attempt-cve-2020-1472-exploitationexternalid2411\" target=\"_blank\" rel=\"noopener noreferrer\">alert here<\/a>, along with information on all the alerts Defender for Identity uses to help you stay protected from identity-based attacks.<\/p>\n<p>Also, feel free to review\u00a0<a href=\"https:\/\/support.microsoft.com\/help\/4557222\/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc\" target=\"_blank\" rel=\"noopener noreferrer\">our guidance\u00a0<\/a>on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability<\/p>\n<p>Customers with Microsoft Defender for Endpoint can get additional guidance from<a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Fsecuritycenter.windows.com%2Fthreatanalytics3%2Fc57607da-fb94-43f3-b8ba-1acda0242900%2Fanalystreport&amp;data=02%7C01%7CDaniel.Naim%40microsoft.com%7C5a14a796515d428cb11608d86545b735%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637370697507756901&amp;sdata=uxd2wKhtSyqr9A2dqhO9D7YW%2F7MgA%2F3o1WnmWjpmCO8%3D&amp;reserved=0\" target=\"_blank\" rel=\"noopener noreferrer\">\u00a0the threat analytics article\u00a0<\/a>available in Microsoft Defender Security Center.<\/p>\n<h2>Get started today<\/h2>\n<p>Are you just starting your Microsoft Defender for Identity journey? Begin a trial of\u00a0<a href=\"https:\/\/www.microsoft.com\/en-us\/microsoft-365\/security\/microsoft-365-defender\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft 365 Defender<\/a>\u00a0to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.<\/p>\n<p>Join the\u00a0<a href=\"https:\/\/techcommunity.microsoft.com\/t5\/Azure-Advanced-Threat-Protection\/bd-p\/AzureAdvancedThreatProtection\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Defender for Identity Tech Community\u00a0<\/a>for the latest updates and news about Identity Security Posture Management assessments, detections, and other updates.<\/p>\n<p>To learn more about Microsoft Security solutions <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/solutions\" target=\"_blank\" rel=\"noopener noreferrer\">visit our\u00a0website<\/a>. Bookmark the <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\" target=\"_blank\" rel=\"noopener noreferrer\">Security blog<\/a>\u00a0to keep up with our expert coverage on security matters. Also, follow us at\u00a0<a href=\"https:\/\/twitter.com\/@MSFTSecurity\" target=\"_blank\" rel=\"noopener noreferrer\">@MSFTSecurity<\/a>\u00a0for the latest news and updates on cybersecurity.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>There has been a huge focus on the recently patched CVE-2020-1472 Netlogon Elevation of Privilege vulnerability, widely known as ZeroLogon. While Microsoft strongly recommends that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for [&hellip;]<\/p>\n","protected":false},"author":98,"featured_media":92272,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ms_queue_force_push":false,"ms_queue_id":"","ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","footnotes":""},"content-type":[3662],"topic":[3688],"products":[3690,3696],"threat-intelligence":[],"tags":[3747,3898],"coauthors":[2460],"class_list":["post-92264","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","content-type-news","topic-threat-trends","products-microsoft-defender","products-microsoft-defender-for-identity","tag-cobalt-strike","tag-elevation-of-privilege"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Zerologon is now detected by Microsoft Defender for Identity | Microsoft Security Blog<\/title>\n<meta name=\"description\" content=\"A new detection allows Microsoft Defender for Identity to detect adversaries as they try to exploit the Zerologon vulnerability (CVE-2020-1472) against your domain controllers.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zerologon is now detected by Microsoft Defender for Identity | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"A new detection allows Microsoft Defender for Identity to detect adversaries as they try to exploit the Zerologon vulnerability (CVE-2020-1472) against your domain controllers.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2020-11-30T17:00:20+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-07T23:13:11+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1707\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Daniel Naim\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Daniel Naim\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/daniel-naim\/\",\"@type\":\"Person\",\"@name\":\"Daniel Naim\"}],\"headline\":\"Zerologon is now detected by Microsoft Defender for Identity\",\"datePublished\":\"2020-11-30T17:00:20+00:00\",\"dateModified\":\"2023-08-07T23:13:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/\"},\"wordCount\":1108,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg\",\"keywords\":[\"Cobalt Strike\",\"Elevation of privilege\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/\",\"name\":\"Zerologon is now detected by Microsoft Defender for Identity | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg\",\"datePublished\":\"2020-11-30T17:00:20+00:00\",\"dateModified\":\"2023-08-07T23:13:11+00:00\",\"description\":\"A new detection allows Microsoft Defender for Identity to detect adversaries as they try to exploit the Zerologon vulnerability (CVE-2020-1472) against your domain controllers.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg\",\"width\":2560,\"height\":1707,\"caption\":\"Real people, real offices. Male developer coding while standing at his desk. Code, develop, engineer, Visual Studio, Azure.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Zerologon is now detected by Microsoft Defender for Identity\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zerologon is now detected by Microsoft Defender for Identity | Microsoft Security Blog","description":"A new detection allows Microsoft Defender for Identity to detect adversaries as they try to exploit the Zerologon vulnerability (CVE-2020-1472) against your domain controllers.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/","og_locale":"en_US","og_type":"article","og_title":"Zerologon is now detected by Microsoft Defender for Identity | Microsoft Security Blog","og_description":"A new detection allows Microsoft Defender for Identity to detect adversaries as they try to exploit the Zerologon vulnerability (CVE-2020-1472) against your domain controllers.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/","og_site_name":"Microsoft Security Blog","article_published_time":"2020-11-30T17:00:20+00:00","article_modified_time":"2023-08-07T23:13:11+00:00","og_image":[{"width":2560,"height":1707,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg","type":"image\/jpeg"}],"author":"Daniel Naim","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg","twitter_misc":{"Written by":"Daniel Naim","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/daniel-naim\/","@type":"Person","@name":"Daniel Naim"}],"headline":"Zerologon is now detected by Microsoft Defender for Identity","datePublished":"2020-11-30T17:00:20+00:00","dateModified":"2023-08-07T23:13:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/"},"wordCount":1108,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg","keywords":["Cobalt Strike","Elevation of privilege"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/","name":"Zerologon is now detected by Microsoft Defender for Identity | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg","datePublished":"2020-11-30T17:00:20+00:00","dateModified":"2023-08-07T23:13:11+00:00","description":"A new detection allows Microsoft Defender for Identity to detect adversaries as they try to exploit the Zerologon vulnerability (CVE-2020-1472) against your domain controllers.","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2020\/11\/CLO20b_Garrett_office_003-scaled.jpg","width":2560,"height":1707,"caption":"Real people, real offices. Male developer coding while standing at his desk. Code, develop, engineer, Visual Studio, Azure."},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2020\/11\/30\/zerologon-is-now-detected-by-microsoft-defender-for-identity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Zerologon is now detected by Microsoft Defender for Identity"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/92264","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/98"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=92264"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/92264\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/92272"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=92264"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=92264"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=92264"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=92264"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=92264"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=92264"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=92264"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}