Rule History

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isnotset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; fast_pattern; content:"|04 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; endswith; threshold: type limit, count 1, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2030870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_22;)