Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
Detects the execution of the commonly used ZeroLogon PoC executable.
Sigma rule (View on GitHub)
1title: Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC
2id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b
3status: test
4description: Detects the execution of the commonly used ZeroLogon PoC executable.
5references:
6 - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
7 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
8author: '@Kostastsale, @TheDFIRReport'
9date: 2022-02-12
10tags:
11 - attack.execution
12 - attack.lateral-movement
13 - attack.t1210
14 - cve.2020-1472
15 - detection.emerging-threats
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection_main:
21 ParentImage|endswith: '\cmd.exe'
22 Image|endswith:
23 - '\cool.exe'
24 - '\zero.exe'
25 CommandLine|contains|all:
26 - 'Administrator'
27 - '-c'
28 selection_payloads_1:
29 CommandLine|contains|all:
30 - 'taskkill'
31 - '/f'
32 - '/im'
33 selection_payloads_2:
34 CommandLine|contains: 'powershell'
35 condition: selection_main and 1 of selection_payloads_*
36falsepositives:
37 - Unknown
38level: high
References
-
Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Up…
Read More -
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…
Read More
Related rules
- HackTool - SharpWSUS/WSUSpendu Execution
- Audit CVE Event
- Exploitation Attempt Of CVE-2023-46214 Using Public POC Code
- Hermetic Wiper TG Process Patterns
- OMIGOD HTTP No Authentication RCE