This spoofing bug allows an attacker to load improperly signed files, bypassing signature verification.
With a new Windows file signature spoofing vuln (CVE-2020-1464) being actively exploited in the wild – review the detection rules you have in place that alert when (what purport to be) Windows system files behave abnormally. Few examples below using @cortexbypanw & @sansforensicshttps://t.co/2PwaXnZQLO
An unusual elevation of privilege bug that’s rated critical, this vulnerability is in the Netlogon Remote Protocol (MS-NRPC). An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access. Worryingly, there is not a full fix available. As the ZDI notes: “This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug.”
Here's a digest of my understanding of #CVE-2020-1472 for the Microsoft Netlogon secure channel vulnerability and what you need to do to protect yourself. Thread. ⬇️