Check Registry For ZeroLogon Vuln Status
This procedure checks to see if machines have had the Microsoft patch installed to protect machines from the ZeroLogon exploit.
Microsoft have release a number of patches that address this issue - August Cumulative update, September Cumulative update, August Security Only Update and so on.
This agent procedure checks for the existence of a specific registry key - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection
Regardless of the patch type that is installed, this key is created by the patch that addresses this issue.
This agent procedure will update a custom field called "zeroLogonVuln" with 4 possible options
"Vulnerable" - The registry key does not exist, so the machine has not received any patch that addresses this issue
"Patched - 0" - The registry key was found, and currently has the value 0
"Patched - 1" - The registry key was found, and currently has the value 1
"Unsupported OS" - If the agent is not a Windows OS, you will see this message.
Microsoft is releasing this patch as 2 parts, the first part is to create the registry key and set the value to 0. They aim to then release a later patch, currently targetted for February 2021, which will set this value to "1".
Further information can be found here - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
The procedure will also create an Agent Procedure Log entry, starting with "zeroLogonResult: ".
Using the Custom Field, you can filter machines in the interface and use the agent procedure log entry to report.
NB. This procedure makes no changes to the endpoint - it simply reads a registry value - there are no files to be delivered or modifications to the endpoint.
ZeroLogon Registry Check has no reviews.
Importing the XML doesn't work. It shows "File not Uploaded."
Running this returns errors "Failed THEN in step 5 line 13" when running it.
Please create a Custom Field called "zeroLogonVuln" as type "String" and the the Agent Procedure shall work.