CVE-2020-1472 – ZeroLogon – Monitoring by SIEM

SIEM Content Packages For CVE-2020-1472 – ZeroLogon By Cyray

As you know, one of the most critical vulnerabilities has recently been published – ZeroLogon

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. (MITRE)

MITRE CVE-2020-1472

Before diving into details – We strongly recommend to patch your DC’s

Here’s the link for MSRC to download the relevant KB:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

We have tested the vulnerability, and we have built new content packages (ArcSight and QRadar) to identify the attack in real-time – before patching, we have also collected events from devices in an environment that is still attempting to use vulnerable netlogon – after patching.

image
idoh
Author
idoh
Share This Story, Choose Your Platform
You Might Also Like
The SIEM 4th Dimension - Timestamp: Unlocking the Secrets of SIEM Log Timestamps
Best practices
The SIEM 4th Dimension - Timestamp: Unlocking the Secrets of SIEM Log Timestamps
0
132
0
“It’s good to be the king” – is that so?
Best practices
“It’s good to be the king” – is that so?
How to use a grid field In this post, our SOAR expert, Mr.Ben Aviv, will demonstrate how to use a grid field in XSOAR (Demisto).
3
243
0
Active List With Dynamic TTL
Arcsight tools
Active List With Dynamic TTL
We should pay attention to each and every nested group that is a member of our sensitive groups, to ensure that we will know about every user that inherits these kinds of permissions.
0
239
0

Time to market

One-day SIEM integration

Learn more