Rule History

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Zerologon Phase 3/3 - NetrLogonSamLogonWithFlags Request with 0x00 Client Credentials (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isset,dcerpc.rpcnetlogon.netrsrvrauth.nosignnoseal; content:"|05 00 00|"; startswith; fast_pattern; content:"|2d 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:!"|00 00 00 00|"; within:4; content:"|00 00 00 00 00 00 00 00 00 00 00 00|"; distance:4; within:12; reference:url,www.secura.com/blog/zero-logon; reference:url,dirkjanm.io/a-different-way-of-abusing-zerologon/; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2035263; rev:2; metadata:attack_target Server, created_at 2022_02_22, cve CVE_2020_1472, deployment Internal, performance_impact Significant, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_22;)