Cynet Uncovers Zerologon Exploits with a Free Analysis & Detection Tool

Share Article

Assurance of Zerologon Exploit Free IT Systems Available at

Cynet logo

Cynet ( today announced the Zerologon Analysis & Detection Tool in response to the Zerologon vulnerability, also known as CVE-2020-1472. Zerologon continues to be a threat even after the availability of the Microsoft patch as exploits may have impacted Windows Server environments prior to implementing the prescribed updates. Moreover, Zerologon continues to be actively exploited as many organizations have not yet implemented the patch because of the expected disruption to IT operations.

Zerologon is a potentially dangerous authentication bypass vulnerability that permits cyber-criminals to exploit the Windows Server Netlogon Remote Protocol (MS-NRPC) authentication process. To support security professionals in managing this threat, Cynet has released the free Zerologon Analysis & Detection Tool which determines if a Zerologon exploit was executed in the user's IT environment. It is essential that administrators address exploits quickly as they can lead to devastating breaches and system disruption. Cynet’s full analysis of Zerologon along with the free Zerologon Analysis and Detection Tool can be accessed at

One of the cryptographic components that facilitates the Zerologon vulnerability is AES-CFB8 Encryption. This encryption has been implemented in an unsecure way, and as result, creates the vulnerability. Cynet 360 customers already have detection mechanisms in place for vulnerabilities and exploits such as this and many other attacks. Due to the magnitude and potential impact of this vulnerability, Cynet is now releasing two detection mechanisms for the wide community that provides visibility of exploits targeting the Zerologon vulnerability.

The first of these detection mechanisms is the YARA rule, which can be used to scan memory dumps of lsass.exe. The rule will alert upon detection of Mimikatz or other Zerologon exploits. The second detection mechanism is an executable file, Cynet.ZerologonDetector.exe, which detects spikes in network traffic of lsass.exe from a given IP. The YARA rule can detect attacks that occurred prior to its deployment and provides an indication after detecting a Zerologon exploitation. Cynet's free detection tool is non-intrusive and based on Event Tracing for Windows (ETW) from Microsoft.

"While patching exposed Windows Servers without delay is extremely important, taking the extra step to ensure your systems are clean is critical to ensure operational viability," said Eyal Gruner, CEO and Co-Founder, Cynet. "Because the Zerologon vulnerability targets the domain controller and therefore poses a major threat to almost all organizations, we decided to share the Zerologon Analysis and Detection Tool with the broad security community."

Visit the company blog to learn more about Cynet 360 at:

Tweet this: @Cynet Targets Zerologon Exploits with Free Analysis & Detection Tool -

To learn more about Cynet:

About Cynet
Cynet 360 is the world's first Autonomous Breach Protection platform that natively integrates XDR endpoint, user and network attack prevention and detection capabilities with an incident engine that fully automates investigation and remediation actions, backed by a 24/7 world-class MDR service. End to end, fully automated breach protection is now within reach of any organization, regardless of security team size and skill level.
For additional information, please visit:

                                            - END -

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Dori Harpaz
+972 526950718
Email >
Follow >
Visit website