Detect Zerologon Via Zeek

Description

This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC

   Help

Detect Zerologon Via Zeek Help

You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunksecurityessentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.

   Search

Open in Search