Versions (5)
Version DetailsCurrent
Rev: 1 • Sep 18, 2020, 12:00 PMET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2
alert tcp-pkt any any -> any any (msg:"ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; content:"|05 00 00|"; depth:3; content:"|1a 00|"; distance:19; within:3; content:"|00 00 00 00 00 00 00 00|"; isdataat:!5,relative; threshold:type both, track by_src, seconds 60, count 3; reference:cve,2020-1472; classtype:attempted-admin; sid:2030889; rev:1; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, created_at 2020_09_18, cve CVE_2020_1472, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_09_18;)
Sep 18, 2020, 12:00 PM
Sep 18, 2020, 12:00 PM
Sep 21, 2024, 3:00 AM
Sep 16, 2025, 8:36 PM
rules/emerging-exploit.rules