ZeroLogon vulnerability (CVE-2020-1472)
ZeroLogon vulnerability (CVE-2020-1472) allows Privilege Escalation attack against Microsoft Active Directory domain controllers, making it possible for a hacker to impersonate any computer, including the root domain controller.
The flaw was addressed in Microsoft’s August 2020 security updates. However, the risk went higher when four PoCs were released and published publicly.
Recently, Microsoft warned about multiple malicious activities by MuddyWater using Zerologon vulnerabilitiy in active campaigns over the last 2 weeks.
MuddyWater an Iranian threat group that has primarily targeted Middle Eastern nations including United Arab Emirates.
It is highly recommended to ensure all your servers are patched and up to date, for further details about ZeroLogon mitigation steps, please find the official notes release by Microsoft
Initiate threat hunting activity for Event ID : 5805 (SYSTEM) or 4624 followed by 4742 as both will be triggered when the exploit is executed.