ZeroLogon Exploit Vulnerability Check
This script uses zeroLogon.exe to test the local machine to see if it is Vulnerable to ZeroLogon Exploit.
Details of zeroLogon.exe can be found here - https://docs.google.com/document/d/1FDUpTPYCwesGU-9YMV-ta4A6LjwTohMIzv5Kgbx4Pmc/edit?usp=sharing
This script uses Kasseya to retrieve the details of the local machine, the netBIOS name and IP address, and passes this to the zeroLogon.exe.
The script will check that the osType is Windows Server 20?? and will only run on these machines.
This does not guarantee that they are suitable targets (AD Controllers).
zeroLogon.exe then runs and the SUCCESS ro FAILURE result is captured and an email is sent with the result.
NB. Line 1 of the procedure contains the target email address - please change this to an appropriate address for your organisation.
The result is also written to the script log for the agent for reporting purposes.
Special thanks to Secura (https://www.secura.com/)
zeroLogon.exe is a compiled version of their script, downloaded from here - https://github.com/SecuraBV/CVE-2020-1472/
Secura's blog explains the exploit - https://www.secura.com/blog/zero-logon
ZeroLogon Detection Script has no reviews.
Virustotal shows 3 malware detection engines list malicious code in this exe:
the exe provided is a compiled version of https://github.com/SecuraBV/CVE-2020-1472/ We ran this through our security filters and found no issues.
Script doesn't work. always comes back inconclusive.
No mention of hardcoded email address inside script instead of using #admindefaults.adminemail# to pick up the email address of the VSA admin running the script automatically.
The description does indicate the need to modify the email address.
Regarding the inconclusiveness, please let me know more details about what you are facing.
I'm getting the same output at Craig - INCONCLUSIVE on all tests
Server 2016, DC roles, Result: "The system cannot execute the specified program."
No A/V detection events
For our part, the issues have been narrowed down. We identified a typo in the agent procedure on lines 9 & 10:
#vAgentconfiguration.AgentTempDir#\zeroLogon.exe #machName# #ipAddress#
#agentTemp#\zeroLogon.exe #machName# #ipAddress#
Once corrected, in our unique case, our antivirus then caught and quarantined the .exe. Adding a filename exclusion in the AV management portal resolved this issue and tests are now running as intended.