Execution of ZeroLogon PoC executable
Detects the execution of the commonly used ZeroLogon PoC executable.
Sigma rule (View on GitHub)
1title: Execution of ZeroLogon PoC executable
2id: fe0c3029-c6df-4f0b-9b82-e4ca4b9659f0
3status: experimental
4description: Detects the execution of the commonly used ZeroLogon PoC executable.
5author: 'Kostastsale, TheDFIRReport'
6references:
7 - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
8 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
9date: 2022-02-12
10modified: 2024-02-23
11logsource:
12 product: windows
13 category: process_creation
14detection:
15 selection1:
16 ParentImage|endswith:
17 - '\cmd.exe'
18 Image|endswith:
19 - '\cool.exe'
20 - '\zero.exe'
21 CommandLine|contains|all:
22 - 'Administrator'
23 - '-c'
24 selection2:
25 CommandLine|contains|all:
26 - 'taskkill'
27 - '/f'
28 - '/im'
29 selection3:
30 CommandLine|contains:
31 - 'powershell'
32 condition: selection1 and (selection2 or selection3)
33falsepositives:
34 - Unknown
35level: high
36tags:
37 - attack.execution
38 - attack.lateral_movement
39 - attack.t1210
References
-
This report will go through an intrusion from July that began with an email, which included a link to Google's Feed Proxy service that was used to download a malicious Word document. Upon the user enabling macros, a Hancitor dll was executed, which called the usual suspect, Cobalt Strike.
Read More -
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of QBot (a.k.a. Quakbot/Qakbot) malware.
Read More
Related rules
- OMIGOD HTTP No Authentication RCE
- Audit CVE Event
- Potential Remote PowerShell Session Initiated
- Remote PowerShell Session (PS Module)
- Remote PowerShell Session (PS Classic)