Multiple MDI alerts for "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation"

Hi hps88,

The alerts you're seeing relate to the CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability, commonly known as ZeroLogon. This vulnerability allows an attacker to escalate privileges to a domain administrator level by exploiting a flaw in the Netlogon Remote Protocol.

Microsoft Defender for Identity can detect attempts to exploit this vulnerability.
The alerts may be triggered during testing of detection methods in a lab environment, which occasionally leads to false positives.
In complex network setups, especially where Linux hosts integrate with Active Directory these alerts may be triggered by normal activity.

The limited information on the alert page is designed to provide key details about the attempted exploitation, such as the device involved, the domain controller, the targeted asset, and the success of the impersonation attempts.

If you're confident there's no malicious activity, consider reaching out to Microsoft Support for assistance. They can help investigate the issue and adjust the alert system's sensitivity.

It is also recommended to restrict access to port 135 at the firewall level to internal devices and install at least the August 2020 patches from Microsoft to mitigate the risk of exploitation.

ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation) - Microsoft Community Hub

www.cyber.gc.ca