Rule History

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 2/3 - NetrServerAuthenticate3 Request with 0x00 Client Challenge and Sign and Seal Disabled (CVE-2020-1472) M2"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|1a 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00|"; within:2; isdataat:!8,relative; byte_test:1,!&,0x40,6,relative; threshold: type both, count 5, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035261; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_22;)