Mitigation and Protection

First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft's latest security update.  This continues to be the primary recommendation for protection against any exploit that that may arise from this vulnerability.

According to the research, there is one serious limitation to exploits of this vulnerability - specifically it cannot be exploited remotely.  An attacker will first need to gain access to the network domain via other means (legitimately or not).  So one major mitigation point would be to ensure that network access (both physical and remote) are carefully guarded.  However, if an attacker has obtained access to a network via another vulnerability or legitimately, this could become a powerful exploit.    
 

Trend Micro Protection

To assist customers, Trend Micro has created and released some additional layers of protection in the form of Deep Security and Cloud One - Workload Security IPS rules and TippingPoint filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One - Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)

• Rule 1010519 - Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
• Rule 1010521 - Netlogon Elevation of Privilege Vulnerability Over SMB (CVE-2020-1472)
• Rule 1010539 - Identified NTLM Brute Force Attempt (ZeroLogon) (CVE-2020-1472)

Please note that the rules are already set to Prevent.

Worry-Free Business Security Services

• Microsoft Windows Netlogon Elevation Of Privilege Vulnerability Over SMB (CVE-2020-1472)
• Microsoft Windows Netlogon Elevation Of Privilege Vulnerability (CVE-2020-1472)

TippingPoint

• Filter 38166:  MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt
• Filter 38235:  MS-NRPC: Microsoft Windows NetrServerAuthenticate Request

Please note that the posture on this filter has been changed to Enable by Default.

Trend Micro TxONE

• 1137620: RPC Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Other Inspection / Detection Rules

Deep Security Log Inspection

• 1010541 - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)

This Log Inspection (LI) rule for Deep Security gives administrators visibility into potential exploit activity.  Due to the complexity of this vulnerability, the Log Inspection rule will only log activities against systems that have already applied the Microsoft patch.  Administrators who have patched critical servers with Deep Security may find this information useful internally to help accelerate patching of endpoints and non-critical systems if there is evidence of activity in their environment. 

Deep Discovery Inspector

• Rule 4453: CVE-2020-1472_DCE_RPC_ZEROLOGON_EXPLOIT_REQUEST
• Rule 4455: CVE-2020-1472_SMB2_ZEROLOGON_EXPLOIT_REQUEST

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.
 

References

• Trend Micro Blog: Zerologon” and the Value of Virtual Patching - https://www.trendmicro.com/en_us/research/20/i/zerologon-and-value-of-virtual-patching.html
• Microsoft Advisory - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472