Execution of ZeroLogon PoC executable
Detects the execution of the commonly used ZeroLogon PoC executable.
Sigma rule (View on GitHub)
1title: Execution of ZeroLogon PoC executable
2id: dcc6a01e-9471-44a0-a699-71ea96f8ed8b
3status: Experimental
4description: Detects the execution of the commonly used ZeroLogon PoC executable.
5author: '@Kostastsale, @TheDFIRReport'
6references:
7 - https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/
8 - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/
9date: 2022/02/12
10logsource:
11 product: windows
12 category: process_creation
13detection:
14 selection1:
15 ParentImage|endswith:
16 - '\cmd.exe'
17 Image|endswith:
18 - '\cool.exe'
19 - '\zero.exe'
20 CommandLine|contains|all:
21 - 'Administrator'
22 - '-c'
23 selection2:
24 CommandLine|contains|all:
25 - 'taskkill'
26 - '/f'
27 - '/im'
28 selection3:
29 CommandLine|contains:
30 - 'powershell'
31 condition: selection1 and (selection2 or selection3)
32falsepositives:
33 - Uknown
34level: high
35tags:
36 - attack.execution
37 - attack.lateral_movement
38 - attack.T1210```
References
-
Intro This report will go through an intrusion from July that began with an email, which included a link to Google’s Feed Proxy service that was used to download a malicious Word document. Up…
Read More -
In this intrusion (from November 2021), a threat actor gained its initial foothold in the environment through the use of Qbot (a.k.a. Quakbot/Qakbot) malware. Soon after execution of the Qbot paylo…
Read More
Related rules
- Abuse of the Windows Server Update Services (WSUS) for lateral movement.
- SMBexec.py Execution
- Wmiexec.py Execution
- Execution of ZeroLogon PoC executable
- Possible Impacket DCOMExec Connection Attempt - Zeek