Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
Sigma rule (View on GitHub)
1title: Zerologon Exploitation Using Well-known Tools
2id: 18f37338-b9bd-4117-a039-280c81f7a596
3status: stable
4description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
5references:
6 - https://www.secura.com/blog/zero-logon
7 - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382
8author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community'
9date: 2020/10/13
10modified: 2021/05/30
11tags:
12 - attack.t1210
13 - attack.lateral_movement
14logsource:
15 service: system
16 product: windows
17detection:
18 selection:
19 EventID:
20 - 5805
21 - 5723
22 keywords:
23 - kali
24 - mimikatz
25 condition: selection and keywords
26level: critical
References
Related rules
- Potential RDP Exploit CVE-2019-0708
- Terminal Service Process Spawn
- CobaltStrike Service Installations - System
- Rundll32 Execution Without Parameters
- First Time Seen Remote Named Pipe