Forum Discussion

hps88's avatar
hps88
Copper Contributor
Dec 07, 2023

Multiple MDI alerts for "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation"

We're seeing several alerts firing up in our environment for the above. The alerts are primarily coming up from Linux hosts which are using the Winbindd component in Samba to integrate with the AD. We didn't find anything suspicious going on in the source hosts and going by this Reddit post here , We don't seem to be the only ones experiencing this. Do we know what could be causing these alerts to fire off, has there been a change in detection login on Microsoft's end?

The alert page also provides very limited information about the activity.

  • philippwree's avatar
    philippwree
    Copper Contributor

    I had the same problem and got the following answer from Microsoft:

    Your suspicion is correct, these alerts are false positive alerts that were triggered by a code issue in a recent deployment that was intended to improve our false-positive detection coverage, which resulted in users seeing an increase of the specific alert in the security.microsoft.com portal. This was a global issue that was addressed in an advisory SHD DZ696339 .

     

    Service health - Microsoft 365 admin center

    • viral_mutant's avatar
      viral_mutant
      Copper Contributor

      philippwree , LiorShapira Can you plz share what exactly is mentioned in that advisory

      Our customers have been also been complaining of these alerts being raised against our NAS appliances. We host Likewise SMB server

      • philippwree's avatar
        philippwree
        Copper Contributor
        Title: Users may see an increase of a specific alert in the security.microsoft.com portal

        User impact: Users may have seen an increase of a specific alert in the security.microsoft.com portal.

        More info: Impacted users saw the following alert, "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)".

        Final status: We've completed deploying the code fix and confirmed with internal telemetry that the issue is resolved.

        Scope of impact: Any user accessing the security.microsoft.com portal may have seen the "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)" alert repeatedly.

        Start time: Tuesday, December 5, 2023 at 1:00 AM GMT+1

        End time: Thursday, December 7, 2023 at 11:15 PM GMT+1

        Root cause: A code issue was introduced in a recent deployment that was intended to improve our false-positive detection coverage, which was resulting in users seeing an increase delivery of the specific alert in the security.microsoft.com portal.

        Next Steps:
        - We're further reviewing the recent deployment to understand how the code issue was introduced, and to understand what prevented it from being detected in our update testing and validation procedures, which will allow us to prevent similar issues in future updates.

        This is the final update for the event.
  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi hps88,

    The alerts you're seeing relate to the CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability, commonly known as ZeroLogon. This vulnerability allows an attacker to escalate privileges to a domain administrator level by exploiting a flaw in the Netlogon Remote Protocol.

    Microsoft Defender for Identity can detect attempts to exploit this vulnerability.
    The alerts may be triggered during testing of detection methods in a lab environment, which occasionally leads to false positives.
    In complex network setups, especially where Linux hosts integrate with Active Directory these alerts may be triggered by normal activity.

    The limited information on the alert page is designed to provide key details about the attempted exploitation, such as the device involved, the domain controller, the targeted asset, and the success of the impersonation attempts.

    If you're confident there's no malicious activity, consider reaching out to Microsoft Support for assistance. They can help investigate the issue and adjust the alert system's sensitivity.

    It is also recommended to restrict access to port 135 at the firewall level to internal devices and install at least the August 2020 patches from Microsoft to mitigate the risk of exploitation.

    ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation) - Microsoft Community Hub

    www.cyber.gc.ca


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

Resources