Execution of ZeroLogon PoC executable

calendar Mar 18, 2025 · attack.execution attack.lateral-movement attack.t1210  ·
Share on: linkedin copy

Detects the execution of the commonly used ZeroLogon PoC executable.

Sigma rule (View on GitHub)

 1title: Execution of ZeroLogon PoC executable
 2id: fe0c3029-c6df-4f0b-9b82-e4ca4b9659f0
 3status: experimental
 4description: Detects the execution of the commonly used ZeroLogon PoC executable.
 5author: 'Kostastsale, TheDFIRReport'
 6references:
 7    - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
 8    - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
 9date: 2022-02-12
10modified: 2024-02-23
11logsource:
12    product: windows
13    category: process_creation
14detection:
15    selection1:
16        ParentImage|endswith: '\cmd.exe'
17        Image|endswith:
18            - '\cool.exe'
19            - '\zero.exe'
20        CommandLine|contains|all:
21            - 'Administrator'
22            - '-c'
23    selection2:
24        CommandLine|contains|all:
25            - 'taskkill'
26            - '/f'
27            - '/im'
28    selection3:
29        CommandLine|contains: 'powershell'
30    condition: selection1 and (selection2 or selection3)
31falsepositives:
32    - Unknown
33level: high
34tags:
35    - attack.execution
36    - attack.lateral-movement
37    - attack.t1210
yaml

References

  • From Zero to Domain Admin

    Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Up…


    Read More

  • Qbot and Zerologon Lead To Full Domain Compromise

    In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…


    Read More

Related rules

to-top