جدول محتوا
- وبینار بررسی و تحلیل آسیبپذیری CVE-2020-1472 موسوم به Zerologon
- وبینار شناسایی حملات Zerologon با استفاده از تحلیل ترافیک
Ruleهای مربوط به SIEMهای پرکاربرد
Splunk |
(endpoint="netlogon" (operation="NetrServerReqChallenge" OR operation="NetrServerAuthenticate3")) | eventstats count as val by src_ip | search val > 100 |
Splunk-Mimikatz |
(source="WinEventLog:System" (EventCode="5805" OR EventCode="5723") "mimikatz") |
Elastic Stack-Mimikatz |
Query: (winlog.event_id:("5805" OR "5723") AND "mimikatz") ------------------------------------------------------------------------------------------------- Alert: { "description": "Detects zerologon exploitation patterns, if mimikatz does not rebuilt and obfuscated. Author: SOC Prime Team. License: https://github.com/Neo23x0/sigma/blob/master/LICENSE.Detection.Rules.md.", "enabled": true, "false_positives": [], "filters": [], "from": "now-360s", "immutable": false, "index": [ "winlogbeat-*" ], "interval": "5m", "rule_id": "zerologon__cve-2020-1472__exploitation_through_mimikatz", "language": "lucene", "output_index": ".siem-signals-default", "max_signals": 100, "risk_score": 53, "name": "ZeroLogon (CVE-2020-1472) Exploitation Through Mimikatz", "query": "(winlog.event_id:("5805" OR "5723") AND "mimikatz")", "meta": { "from": "1m" }, "severity": "high", "tags": [ "Lateral Movement", "T1210" ], "to": "now", "type": "query", "threat": [ { "tactic": { "id": "TA0008", "reference": "https://attack.mitre.org/tactics/TA0008", "name": "Lateral Movement" }, "framework": "MITRE ATT&CK", "technique": [ { "id": "T1210", "name": "Exploitation of Remote Services", "reference": "https://attack.mitre.org/techniques/T1210" } ] } ], "version": 1, "references": [ "https://tdm.socprime.com/tdm/info/5RnLLRFoSypI" ] } |
Arcsight-Mimikatz |
Query: (deviceVendor = "Microsoft" AND externalId = 5805 OR externalId = 5723 AND mimikatz) AND type != 2 | rex field = flexString1 mode=sed "s//Sigma: ZeroLogon (CVE-2020-1472) Exploitation Through Mimikatz/g" ------------------------------------------------------------------------------------------------- Alert: (deviceVendor = "Microsoft" AND externalId = 5805 OR externalId = 5723 AND "mimikatz") |
QRadar |
SELECT count() as agg_val from events where (search_payload ilike '%netlogon%' and (search_payload ilike '%NetrServerReqChallenge%' or search_payload ilike '%NetrServerAuthenticate3%')) group by "sourceip" having agg_val > 100 LAST 1 minutes |
QRadar-Mimikatz |
SELECT UTF8(payload) as search_payload from events where (LOGSOURCETYPENAME(devicetype) ilike 'Microsoft Windows Security Event Log' and ("EventID" = '5805' or "EventID" = '5723') and search_payload ilike '%mimikatz%') |
Sigma |
title: Possible CVE-2020-1472 (zerologon) description: CVE-2020-1472 (Netlogon Elevation of Privilege Vulnerability) may create thousands of NetrServerReqChallenge & NetrServerAuthenticate3 requests in a short amount of time. author: SOC Prime Team date: 2020/09/11 references: - https://github.com/SecuraBV/CVE-2020-1472 tags: - attack.lateral_movement - attack.T1210 logsource: product: zeek service: dce_rpc detection: selection: endpoint: 'netlogon' operation: 'NetrServerReqChallenge' selection2: endpoint: 'netlogon' operation: 'NetrServerAuthenticate3' timeframe: 1m condition: selection or selection2 | count() by src_ip > 100 falsepositives: - 'unknown' level: high |
Sigma-Mimikatz |
title: ZeroLogon (CVE-2020-1472) Exploitation Through Mimikatz description: Detects zerologon exploitation patterns, if mimikatz does not rebuilt and obfuscated. status: stable author: SOC Prime Team references: - https://twitter.com/joshlemon/status/1306487256480460805 - https://twitter.com/markus_neis/status/1306617404886339589 - https://twitter.com/SBousseaden/status/1305957119770988547 tags: - attack.lateral_movement - attack.t1210 logsource: product: windows service: system detection: selection: EventID: - 5805 - 5723 #please check your own fields, raw data: <EventData><Data>mimikatz</Data><Data>%%5</Data><Binary>220000C0</Binary></EventData>. Search around all fields by related event ids above - better way. keywords: - 'mimikatz' condition: selection and keywords level: high |
اسکریپت PowerShell با هدف تحلیل لاگ مربوط به اکسپلویت آسیبپذیری Zerologon
Get-WinEvent | where {($_.message -match "endpoint.*netlogon" -and ($_.message -match "operation.*NetrServerReqChallenge" -or $_.message -match "operation.*NetrServerAuthenticate3")) } | group-object src_ip | where { $_.count -gt 100 } | select name,count | sort -desc |
Get-WinEvent -LogName System | where {(($_.ID -eq "5805" -or $_.ID -eq "5723") -and $_.message -match "mimikatz") } | select TimeCreated,Id,RecordId,ProcessId,MachineName,Message |
Ruleهای Snort با هدف شناسایی اکسپلویت آسیبپذیری Zerologon
alert tcp any any -> any 1024: (msg: "Potential exploit attempt to CVE-2020-1472 (zerologon)"; sid:10011;flow:to_server,established; content:"|05 00 00 03|"; offset: 0; depth:4; content:"|10 00 00 00|"; distance:0; depth:50; content:"|5C 00 5C 00|"; distance:0; content:"|24 00 00 00|";distance:0; content:"|00 00 00 00 00 00 00 00 ff ff 2f 21|";distance:0; flowbits:set,potential-cve-2020-1472; flowbits:noalert; reference: url, https://github.com/dirkjanm/CVE-2020-1472;) |
alert tcp any any -> any 1024: (msg: "Potential exploit attempt to CVE-2020-1472 (zerologon)"; sid:10012; flowbits:isset,potential-cve-2020-1472; flow:to_server,established; content:"|05 00 00 03|"; offset: 0; depth:4; content:"|10 00 00 00|"; distance:0; depth:50; content:"|24 00 00 00|";distance:0; pcre:"/x00{300,}/R"; flowbits:unset,potential-cve-2020-1472; reference: url, https://github.com/dirkjanm/CVE-2020-1472;) |
Ruleهای Suricata با هدف شناسایی اکسپلویت آسیبپذیری Zerologon
alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] ![139,445] (msg:"ET EXPLOIT Possible Zerologon NetrServerAuthenticate with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; content:"|00|"; offset:2; content:"|1a 00|"; distance:19; within:2; content:"|5c 00 5c 00|"; within:50; content:"|24 00 00 00 06 00|"; distance:0; fast_pattern; content:"|00 00 00 00 00 00 00 00|"; distance:0; isdataat:!5,relative; threshold: type limit, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; classtype:attempted-admin; sid:2030871; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;) |
alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) UUID flowbit set"; flow:established,to_server; content:"|05 00 0B|"; depth:3; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 cf fb|"; distance:0; flowbits:set,dcerpc.rpcnetlogon; flowbits:noalert; reference:cve,2020-1472; classtype:attempted-admin; sid:2030888; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, former_category EXPLOIT, signature_severity Major, updated_at 2020_09_18;) |