Microsoft has added support for Zerologon detection in the Microsoft Defender for Identity to enable Operations Security teams to detect attacks within the enterprise that attempt to exploit this critical vulnerability.
Microsoft Defender for Identity (formerly known as Azure Advanced Threat Protection ή Azure ATP) είναι μια λύση ασφάλειας που βασίζεται στο cloud και έχει σχεδιαστεί για να αξιοποιεί signalthe Active On-premises directory to detect and analyze compromised identities, advanced threats and malicious insider activity targeting a registered organization.
"Microsoft Defender for Identity can detect this vulnerability early on," said Microsoft Program Manager Daniel Naim. "It covers both aspects of exploiting and controlling the circulation of Netlogon."
Notifications that appear whenever exploit Zerologon or related activity is detected will allow SecOps teams to quickly receive information about the device or domain controller behind attack attempts.
Alerts will also provide information that can help identify targeted information if the attacks were successful.
“Finally, customers using the Microsoft 365 Defenders can take full advantage of the power of Microsoft Defender for Identity signals and alerts, combined with behavioral events and detections from Microsoft Defender for Endpoint,” added Naim.
"This coordinated protection allows you to not only monitor your efforts to exploit Netlogon over network protocols, but also view the device process and file activity associated with exploit."