mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-16 12:45:17 +03:00
c21af3347e
- Add scripts/agent.py and references/api-reference.md to all remaining skills - Update all 648 LICENSE files: copyright now reads 'Mahipal' - Add implementing-security-monitoring-with-datadog (new skill with full anatomy) - All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2.1 KiB
2.1 KiB
API Reference: Zerologon (CVE-2020-1472)
Vulnerability Overview
- CVE: CVE-2020-1472
- CVSS: 10.0 (Critical)
- Protocol: MS-NRPC (Netlogon Remote Protocol)
- Port: 135 (RPC)
- Impact: Domain Admin without credentials
Attack Mechanism
The Netlogon AES-CFB8 implementation uses a static IV of zero bytes. Sending authentication requests with 256 zero bytes succeeds with probability 1/256 per attempt.
Detection Tools
Nmap
nmap -p 135,445 --script smb-vuln-cve-2020-1472 <DC_IP>
Impacket zerologon_tester.py
zerologon_tester.py DC01 10.10.10.1
CrackMapExec
crackmapexec smb <DC_IP> -u '' -p '' -M zerologon
Patch Information
Microsoft KBs
| KB | OS Version |
|---|---|
| KB4571694 | Windows Server 2016 |
| KB4571703 | Windows Server 2019 |
| KB4571723 | Windows Server 2012 R2 |
| KB4571736 | Windows Server 2012 |
Registry Key for Enforcement
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
FullSecureChannelProtection = 1 (DWORD)
MS-NRPC Protocol
NetrServerAuthenticate3
DCERPC call to \PIPE\netlogon
Function: NetrServerAuthenticate3
ClientCredential: 8 zero bytes
NegotiateFlags: 0x212fffff
Authentication Flow
- Client calls
NetrServerReqChallenge(sends 8 zero bytes) - Server responds with ServerChallenge
- Client calls
NetrServerAuthenticate3(ClientCredential = zeros) - On success (~1/256), client sets DC machine password to empty
Event Log Detection
Event IDs
| Event | Source | Description |
|---|---|---|
| 5827 | Netlogon | Vulnerable connection denied |
| 5828 | Netlogon | Vulnerable connection allowed |
| 5829 | Netlogon | Vulnerable connection (audit mode) |
| 5830 | Netlogon | Device allowed by GPO exception |
| 5831 | Netlogon | Device denied |
KQL Detection
SecurityEvent
| where EventID in (5827, 5828, 5829)
| project TimeGenerated, Computer, EventData
Remediation
- Apply KB patches immediately
- Set
FullSecureChannelProtection = 1 - Monitor Event IDs 5827-5831
- Block RPC port 135 from untrusted networks
- Enable DC enforcement mode