Detect Zerologon Via Zeek

Description

This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search detects attempts to run exploits for the Zerologon CVE-2020-1472 vulnerability via Zeek RPC

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Initial Access

MITRE ATT&CK Techniques

Exploit Public-Facing Application

Exploit Public-Facing Application

MITRE Threat Groups

APT28
APT29
APT39
APT41
Axiom
BlackTech
Blue Mockingbird
GOLD SOUTHFIELD
Night Dragon
Rocke
Soft Cell

Data Sources

Network Communication

   Help

Detect Zerologon Via Zeek Help

You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunksecurityessentials_app via bro:rpc:json. These three operations are then correlated on the Zeek UID field.

   Search

Open in Search