To check if your Windows Operating System (OS) is affected by the Zelologon vulnerability you will need to run an Authenticated Network Scan using Holm Security VMP platform.
You will find detailed information about setting up your authenticated scanning profile in this article:
And you can find more information in this section:
If your system is vulnerable to Zerologon, you will find one of the following HID’s in your generated scan report depending on your Windows OS:
- HID-2-1-041726 - Microsoft Windows Server 2012.
- HID-2-1-041725 - Microsoft Windows 8.1 for 32-bit/x64-based systems - Microsoft Windows Server 2012 R2
- HID-2-1-041724 - Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1
- - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1
- HID-2-1-041723 - Microsoft Windows 10 Version 1903 for 32-bit/x64-based Systems - Microsoft Windows 10 Version 1909 for 32-bit/x64-based Systems
- HID-2-1-041720 - Microsoft Windows 10 Version 1809 for 32-bit Systems - Microsoft Windows 10 Version 1809 for x64-based Systems - Microsoft Windows Server 2019
- HID-2-1-041729 - Microsoft Windows 10 Version 1607 x32/x64 - Microsoft Windows Server 2016
- HID-2-1-041727 - Microsoft Windows 10 Version 2004 for 32-bit Systems - Microsoft Windows 10 Version 2004 for x64-based Systems
To scan for only Zerologon use the following scan configuration:
Authenticated scan with HID/HID's included from the mentioned list above depending on your Windows OS, described in the image below: