Detect Zerologon Via Zeek
This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC
Detect Zerologon Via Zeek Help
You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunksecurityessentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.
Open in Search