Zerologon Exploitation Using Well-known Tools

This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.

Sigma rule (View on GitHub)

 1title: Zerologon Exploitation Using Well-known Tools
 2id: 18f37338-b9bd-4117-a039-280c81f7a596
 3status: stable
 4description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
 5references:
 6    - https://www.secura.com/blog/zero-logon
 7    - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
 8author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
 9date: 2020-10-13
10modified: 2021-05-30
11tags:
12    - attack.t1210
13    - attack.lateral-movement
14logsource:
15    service: system
16    product: windows
17detection:
18    selection:
19        EventID:
20            - 5805
21            - 5723
22    keywords:
23        - kali
24        - mimikatz
25    condition: selection and keywords
26level: critical

References

Related rules

to-top