Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Security and Compliance

Remediate Vulnerable Secure Channel Connections with the Insecure Protocols Workbook

Azure Sentinel News Editor by Azure Sentinel News Editor
November 27, 2020
in Security and Compliance
0
Insight Recognized as a Microsoft Security 20/20 Partner Award Winner for Azure Security Deployment Partner of the Year
3.8kViews
380 Shares Share on Facebook Share on Twitter

This article is written by Jon Shectman and Brian Delaney, Microsoft.

Have you read about the elevation of privilege vulnerability that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller? An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. If you haven’t, you can read about the vulnerability here a and learn how to manage the changes here. Those articles give an excellent overview of the issue, so I won’t repeat it in detail here. In short, we are addressing this vulnerability in a two-part rollout by modifying how Netlogon handles the usage of Netlogon secure channels.

Phase one, deployment, began on Aug 11. In this phase, secure Remote ProtoCol (RPC) is enforced for machine, trust and domain controller accounts. This phase also includes a new group policy object (GPO) and a registry key to manage configuration, and five new Event IDs.

These Event IDs are important for auditing and understanding of the issue. They are as follows:

Machine Events

5827 – Connection denied

5829 – Non-compliant (allowed during Deployment phase)

5830 – Allowed by policy

Trust Events

5828 – Connection denied

5831 – Allowed by policy

Phase two, enforcement, is slated to begin Feb 9, 2021. In phase two, non-compliant machine connections will be denied by default and an Event ID 5827 will be logged. It’s entirely possible to set the new GPO “Domain controller: Allow vulnerable Netlogon secure channel connections” and to simply allow the vulnerable connections. However, that is not recommended. Rather, you should use the new tab in the Insecure Protocols Workbook to detect and understand the five new Event IDs and take appropriate action to address the vulnerable Netlogon sessions prior to the enforcement phase. If you’re new to the Insecure Protocols Workbook, we recommend checking out the getting started guide and then come back here.

To populate the Workbook, take two steps:

1. On your domain controllers, apply the relevant update from CVE-2020-1472.

2. In Azure Sentinel, go to Settings, Workspace Settings, Advanced Settings, Data, Windows Event Logs, and add (or make sure you already have added) Errors and Warnings from the System Log.

Once you have data flowing, it’s time to start using the Insecure Protocols Workbook. The first addition you’ll notice is a new tab, Vulnerable Secure Channel.

The most efficient way to describe how to use this tab is to simply show it – as in the GIF below.

At the top of the tab is a counter (tile) for each of the five new Event IDs. In our lab, for example, we have eight instances of Event ID 5830. That’s the tile I clicked on to filter to that event ID. Next, I “painted” a timebrush slice to filter the queries below to a particular time; then I simply clicked on a Machine Account to show the Machine Account Connections. The result is a highly actionable data set, showing us exactly where we need to research vulnerable secure channel connections.

Once you know where to look, you’ll need to upgrade all Netlogon clients. However, there’s an additional point to consider. Though we expect it to be a rare finding, vulnerable secure channel connections can come from not only machines, but also from trusts (most likely Realm trusts). This configuration may result in significantly increased exposure (Event ID 5828) and may require more planning to remediate.

In this article, we briefly discussed the exposure in vulnerable secure channel connections, how they are logged during the first phase of CVE-2020-1472, and how to audit them with the Insecure Protocols Workbook.

A brief sidenote: If you ever feel your perspectives don’t matter or that your opinions aren’t good enough, we urge you to think again. This workbook enhancement came directly from a conversation on Twitter where multiple folks made the case for it. If you have concepts to add, functionality you’d like to see added, or ideas for improvement, please reach out on Twitter (@shectonsecurity), find us on LinkedIn, or use the comments section. We are all ears.

Thanks for reading and, as always, happy auditing.  🙂

Reference: https://techcommunity.microsoft.com/t5/azure-sentinel/remediate-vulnerable-secure-channel-connections-with-the/ba-p/1611871

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Vectra AI and Microsoft partner on security integration
Security and Compliance

Replay Now Available – Microsoft Security Insights 036: Azure Sentinel with Rod Trent

February 8, 2021
What’s new: Microsoft Teams connector in Public Preview
Security and Compliance

eBook Available for Managing Azure Sentinel with PowerShell

January 6, 2021
Microsoft is quietly becoming a cybersecurity powerhouse
Security and Compliance

Official Azure Sentinel PowerShell Module Released

January 4, 2021
Next Post
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

What’s New: Query line numbering, Azure Sentinel in the schema pane

Microsoft bolsters threat prevention capabilities for enterprises

MSTIC Notebooklets - Fast Tracking CyberSec Jupyter Notebooks

Improve security with Azure Sentinel, a cloud-native SIEM and SOAR solution

Announcing a new Azure Sentinel GitHub Leaderboard!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel

Accelerate your Azure Sentinel Deployment with this Azure DevOps Boards Template

3 months ago
ITC Secure Achieves Microsoft Gold Partner Status

ITC Secure Achieves Microsoft Gold Partner Status

3 months ago
Microsoft’s John Thompson and VMware’s Sanjay Poonen share a similar view of the security landscape

Microsoft’s John Thompson and VMware’s Sanjay Poonen share a similar view of the security landscape

3 months ago
O365 & AAD Multi-Tenant Custom Connector – Azure Sentinel

O365 & AAD Multi-Tenant Custom Connector – Azure Sentinel

5 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

New Items of Note on the Azure Sentinel GitHub Repo

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

New Search Capability for Azure Sentinel Incidents

Follow-up: Microsoft Tech Talks Practical Sentinel : A Day in the Life of a Sentinel Analyst

Changes in How Running Hunting Queries Works in Azure Sentinel

Trending

What’s new: Microsoft Teams connector in Public Preview
AI & ML

Azure Sentinel Weekly Newsletter

by Azure Sentinel News Editor
March 1, 2021
0

I’ve sensed this for a while now, but a few days ago it really hit me —...

What’s new: Microsoft Teams connector in Public Preview

How to Generate Azure Sentinel Incidents for Testing

February 26, 2021
What’s new: Microsoft Teams connector in Public Preview

Azure Sentinel Notebooks Loses It’s Preview Tag

February 25, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

February 22, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

New Items of Note on the Azure Sentinel GitHub Repo

February 18, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Azure Sentinel Weekly Newsletter March 1, 2021
  • How to Generate Azure Sentinel Incidents for Testing February 26, 2021
  • Azure Sentinel Notebooks Loses It’s Preview Tag February 25, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News