Happy Independence Day from all of us at the Connect IT Community! Our US offices will be closed on Monday, July 4th, 2022 in recognition of the holiday. Limited Support staff in the US will be on-call and available for critical Service(s) Down issues only. Normal Support operations in the US will resume on Tuesday, July 5th, 2022.

ZeroLogon Detection Script

Kaseya Automation Team
Kaseya Automation Team USMember, Kaseya Certified CHOCOLATE MILK
edited January 24 in Solutions

Product Name: ZeroLogon Detection Script

Description : This script uses zeroLogon.exe to test the local machine to see if it is Vulnerable to ZeroLogon Exploit.

Details of zeroLogon.exe can be found here - https://docs.google.com/document/d/1FDUpTPYCwesGU-9YMV-ta4A6LjwTohMIzv5Kgbx4Pmc/edit?usp=sharing

This script uses Kasseya to retrieve the details of the local machine, the netBIOS name and IP address, and passes this to the zeroLogon.exe.

The script will check that the osType is Windows Server 20?? and will only run on these machines.

This does not guarantee that they are suitable targets (AD Controllers).

zeroLogon.exe then runs and the SUCCESS ro FAILURE result is captured and an email is sent with the result.

NB. Line 1 of the procedure contains the target email address - please change this to an appropriate address for your organisation.

The result is also written to the script log for the agent for reporting purposes.

Special thanks to Secura (https://www.secura.com/)

zeroLogon.exe is a compiled version of their script, downloaded from here - https://github.com/SecuraBV/CVE-2020-1472/

Secura's blog explains the exploit - https://www.secura.com/blog/zero-logon

Instructions :

1. extract the XML and exe from the attached zip

2. Put zeroLogon.exe in X:\Kaseya\WebPages\ManagedFiles\VSaSharedFiles

3. Import the XML

 

You can now run this on any Windows Domain Controllers, and check the Procedure Logs, or your email for the results.

Tagged:

Comments

  • Marc Friesen
    Marc Friesen Member
    edited September 2020

    Virustotal shows 3 malware detection engines list malicious code in this exe: 

    https://www.virustotal.com/gui/file/90817e70bb7c35cea5c857f7398d472a5975a5ad9257407e6e55eabf1d46262f/detection

  • Kaseya Automation Team
    Kaseya Automation Team USMember, Kaseya Certified CHOCOLATE MILK
    edited September 2020

    Hello Marc,

    the exe provided is a compiled version of  https://github.com/SecuraBV/CVE-2020-1472/ We ran this through our security filters and found no issues.

  • Craig Hart
    Craig Hart Member DECAF
    edited September 2020

    Script doesn't work. always comes back inconclusive.

    No mention of hardcoded email address inside script instead of using #admindefaults.adminemail# to pick up the email address of the VSA admin running the script automatically.


  • Kaseya Automation Team
    Kaseya Automation Team USMember, Kaseya Certified CHOCOLATE MILK
    edited September 2020

    @Craig Hart

    The description does indicate the need to modify the email address.


    Regarding the inconclusiveness, please let me know more details about what you are facing.

  • Nathan Harris
    Nathan Harris Member
    edited September 2020

    I'm getting the same output at Craig - INCONCLUSIVE on all tests

    Server 2016, DC roles, Result: "The system cannot execute the specified program."

    No A/V detection events

  • Nathan Harris
    Nathan Harris Member
    edited October 2020

    For our part, the issues have been narrowed down. We identified a typo in the agent procedure on lines 9 & 10:

    #vAgentconfiguration.AgentTempDir#\zeroLogon.exe #machName# #ipAddress#

    should be

    #agentTemp#\zeroLogon.exe #machName# #ipAddress#

    Once corrected, in our unique case, our antivirus then caught and quarantined the .exe. Adding a filename exclusion in the AV management portal resolved this issue and tests are now running as intended.


    Regards,

    Nathan Harris

Categories

Join The Community

Weekly Leaderboard