Forum Discussion
Multiple MDI alerts for "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation"
We're seeing several alerts firing up in our environment for the above. The alerts are primarily coming up from Linux hosts which are using the Winbindd component in Samba to integrate with the AD. W...
philippwree , LiorShapira Can you plz share what exactly is mentioned in that advisory
Our customers have been also been complaining of these alerts being raised against our NAS appliances. We host Likewise SMB server
Title: Users may see an increase of a specific alert in the security.microsoft.com portal
User impact: Users may have seen an increase of a specific alert in the security.microsoft.com portal.
More info: Impacted users saw the following alert, "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)".
Final status: We've completed deploying the code fix and confirmed with internal telemetry that the issue is resolved.
Scope of impact: Any user accessing the security.microsoft.com portal may have seen the "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)" alert repeatedly.
Start time: Tuesday, December 5, 2023 at 1:00 AM GMT+1
End time: Thursday, December 7, 2023 at 11:15 PM GMT+1
Root cause: A code issue was introduced in a recent deployment that was intended to improve our false-positive detection coverage, which was resulting in users seeing an increase delivery of the specific alert in the security.microsoft.com portal.
Next Steps:
- We're further reviewing the recent deployment to understand how the code issue was introduced, and to understand what prevented it from being detected in our update testing and validation procedures, which will allow us to prevent similar issues in future updates.
This is the final update for the event.
User impact: Users may have seen an increase of a specific alert in the security.microsoft.com portal.
More info: Impacted users saw the following alert, "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)".
Final status: We've completed deploying the code fix and confirmed with internal telemetry that the issue is resolved.
Scope of impact: Any user accessing the security.microsoft.com portal may have seen the "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)" alert repeatedly.
Start time: Tuesday, December 5, 2023 at 1:00 AM GMT+1
End time: Thursday, December 7, 2023 at 11:15 PM GMT+1
Root cause: A code issue was introduced in a recent deployment that was intended to improve our false-positive detection coverage, which was resulting in users seeing an increase delivery of the specific alert in the security.microsoft.com portal.
Next Steps:
- We're further reviewing the recent deployment to understand how the code issue was introduced, and to understand what prevented it from being detected in our update testing and validation procedures, which will allow us to prevent similar issues in future updates.
This is the final update for the event.