ZeroLogon Detection Script

ZeroLogon Exploit Vulnerability Check

Description

This script uses zeroLogon.exe to test the local machine to see if it is Vulnerable to ZeroLogon Exploit.

Details of zeroLogon.exe can be found here - https://docs.google.com/document/d/1FDUpTPYCwesGU-9YMV-ta4A6LjwTohMIzv5Kgbx4Pmc/edit?usp=sharing

This script uses Kasseya to retrieve the details of the local machine, the netBIOS name and IP address, and passes this to the zeroLogon.exe.

The script will check that the osType is Windows Server 20?? and will only run on these machines.

This does not guarantee that they are suitable targets (AD Controllers).

zeroLogon.exe then runs and the SUCCESS ro FAILURE result is captured and an email is sent with the result.

NB. Line 1 of the procedure contains the target email address - please change this to an appropriate address for your organisation.

The result is also written to the script log for the agent for reporting purposes.

Special thanks to Secura (https://www.secura.com/)

zeroLogon.exe is a compiled version of their script, downloaded from here - https://github.com/SecuraBV/CVE-2020-1472/

Secura's blog explains the exploit - https://www.secura.com/blog/zero-logon

Developer
  • Name: Kaseya Automation Team
  • Company: Kaseya
  • Website: http://www.kaseya.com
  • Contact Developer
  • Summary
  • ZeroLogon Detection Script
  • 85 Downloads
  • Version:
  • Initially Released September 16th, 2020
  • Reviews

    ZeroLogon Detection Script has no reviews.

    Discussion
    Gravatar for Marc Friesen
    Marc Friesen 7 months ago

    Virustotal shows 3 malware detection engines list malicious code in this exe: 

    https://www.virustotal.com/gui/file/90817e70bb7c35cea5c857f7398d472a5975a5ad9257407e6e55eabf1d46262f/detection

    Gravatar for Kaseya Automation Team
    Kaseya Automation Team 7 months ago

    Hello Marc,

    the exe provided is a compiled version of  https://github.com/SecuraBV/CVE-2020-1472/ We ran this through our security filters and found no issues.

    Gravatar for Craig Hart
    Craig Hart 7 months ago

    Script doesn't work. always comes back inconclusive.

    No mention of hardcoded email address inside script instead of using #admindefaults.adminemail# to pick up the email address of the VSA admin running the script automatically.


    Gravatar for Kaseya Automation Team
    Kaseya Automation Team 7 months ago

    @Craig Hart

    The description does indicate the need to modify the email address.


    Regarding the inconclusiveness, please let me know more details about what you are facing.

    Gravatar for Nathan Harris
    Nathan Harris 7 months ago

    I'm getting the same output at Craig - INCONCLUSIVE on all tests

    Server 2016, DC roles, Result: "The system cannot execute the specified program."

    No A/V detection events

    Gravatar for Nathan Harris
    Nathan Harris 7 months ago

    For our part, the issues have been narrowed down. We identified a typo in the agent procedure on lines 9 & 10:

    #vAgentconfiguration.AgentTempDir#\zeroLogon.exe #machName# #ipAddress#

    should be

    #agentTemp#\zeroLogon.exe #machName# #ipAddress#

    Once corrected, in our unique case, our antivirus then caught and quarantined the .exe. Adding a filename exclusion in the AV management portal resolved this issue and tests are now running as intended.


    Regards,

    Nathan Harris