sigma icon indicating copy to clipboard operation
sigma copied to clipboard

Published 20 hours ago verified publisher icon SigmaHQ

rule: Insecure NetLogon auth - likely Zerologon (CVE-2020-1472) attempt

Open jdu2600 opened this issue 4 years ago • 2 comments

The legacy NetLogon ETW provider includes NegotiatedFlags parameter of the NetrServerAuthenticate3 MS-NRPC call. The 2nd bit is the 'Secure RPC' flag which Zerologon needs to disable. Flagging on Netlogon authentication attempts with this flag disabled should be very high fidelity signal for Zerologon attempts.

Issues - I couldn't find any examples on how do do a couple of things in Sigma. How do I specify a non-eventlog ETW provider? How do I check a flag in Sigma?

Bigger Issue - As far as I know, SilkService and Sealighter are the only two generic ETW logging services - and neither is a supported Sigma backend (yet). So nobody can use it straight away...

  • https://github.com/fireeye/SilkETW
  • https://github.com/pathtofile/Sealighter

jdu2600 avatar Sep 20 '20 12:09 jdu2600

Added more information on how to detect via the new events on patched systems.

jdu2600 avatar Sep 21 '20 10:09 jdu2600

Fixed yamllint errors. :-)

jdu2600 avatar Sep 21 '20 11:09 jdu2600

Closing this as it's not currently planned to add the modifier described by the author, unfortunately. Will re-open in case of any new information.

nasbench avatar Dec 23 '22 17:12 nasbench