ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472) - Suricata Rule 2030870 (et/open)

ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)

SID: 2030870Rev: 38 viewsHistory

Sourceet/open

CreatedSeptember 14, 2020

UpdatedFebruary 22, 2022

Classificationattempted-admin

alert tcp-pkt any any -> [$HTTP_SERVERS,$HOME_NET] 1024: (msg:"ET EXPLOIT Possible Zerologon Phase 1/3 - NetrServerReqChallenge with 0x00 Client Challenge (CVE-2020-1472)"; flow:established,to_server; flowbits:isset,dcerpc.rpcnetlogon; flowbits:isnotset,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; flowbits:set,dcerpc.rpcnetlogon.netrsrvreqchal.nullcc; content:"|05 00 00|"; startswith; fast_pattern; content:"|04 00|"; offset:22; depth:2; content:"|00 00 00 00 00 00 00 00|"; endswith; threshold:type limit, count 1, seconds 30, track by_src; reference:url,www.secura.com/blog/zero-logon; reference:cve,2020-1472; reference:url,thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/; classtype:attempted-admin; sid:2030870; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Server, created_at 2020_09_14, cve CVE_2020_1472, deployment Perimeter, deployment Internal, performance_impact Significant, confidence Medium, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_02_22;)

References

url	www.secura.com/blog/zero-logon
cve	2020-1472
url	thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/

Metadata

affected productWindows_XP_Vista_7_8_10_Server_32_64_Bit

attack targetServer

created at2020_09_14

cveCVE-2020-1472

deploymentInternal

performance impactSignificant

confidenceMedium

signature severityMajor

tagDescription_Generated_By_Proofpoint_Nexus

updated at2022_02_22

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!