Intrusion PreventionMS.Windows.Server.Netlogon.Privilege.Elevation
Description
This indicates an attack attempt to exploit an Elevation of Priviledge on Windows Server Netlogon Service.
The vulnerablitiy is due to flaws in a cryptographic authentication protocol that proves the authenticity and identity of a domain-joined computer to a Windows Server Domain Controller. Successful exploitation can lead to an attacker gaining domain admin privileges on the vulnerable server.
Outbreak Alert
A new alert from CISA, the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reveals that Black Basta affiliates have attacked 12 of the 16 critical infrastructure sectors, including healthcare organizations.
View the full Outbreak Alert Report
FortiGuard Labs continues to observe attack attempts exploiting the vulnerabilities highlighted in the recent CISA advisory about Russian military cyber actors. These actors are targeting U.S. and global critical infrastructure to conduct espionage, steal data, and compromise or destroy sensitive information.
View the full Outbreak Alert Report
This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.
Affected Products
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1903 (Server Core installation)
Windows Server, version 1909 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Impact
Privilege Escalation: Remote attackers can leverage their privileges on vulnerable systems.
Recommended Actions
Apply the most recent upgrade or patch from the vendor.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
Coverage
| IPS (Regular DB) | |
| IPS (Extended DB) |
Version Updates
| Date | Version | Status | Detail |
|---|---|---|---|
| 2024-07-15 | 28.826 |
Modified
|
Name:MS. Windows. Server. Netlogon. Elevation. of. Privilege:MS. Windows. Server. Netlogon. Privilege. Elevation |
| 2022-09-07 | 22.387 |
Modified
|
Sig Added |
| 2021-12-06 | 19.208 |
Modified
|
Sig Added |
| 2021-07-15 | 18.121 |
Modified
|
Sig Added |
| 2020-11-04 | 16.956 |
Modified
|
Sig Added |
| 2020-10-08 | 16.940 |
Modified
|
Sig Added |
| 2020-09-29 | 16.933 |
Modified
|
Default_action:pass:drop |
| 2020-09-21 | 16.928 |
New
|
| ID | 49499 |
| Created | Sep 16, 2020 |
| Updated | Jul 11, 2024 |
| CVE ID | |
| Tags | Black Basta Ransomware Russian Cyber Espionage Iran-linked Cyber Attacks Threat Signal |
| Risk |
|
| Known Exploited | Yes |
| Exploit Prediction Score | 94.38% |
| Default Action | drop |
| Active | |
| Affected OS | Windows |
| Affected App | Other |
| Profile Type | Permission/Privilege/Access Control |