CVE-2020-1472 – ZeroLogon – Monitoring by SIEM

SIEM Content Packages For CVE-2020-1472 – ZeroLogon By Cyray

As you know, one of the most critical vulnerabilities has recently been published – ZeroLogon

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. (MITRE)

MITRE CVE-2020-1472

Before diving into details – We strongly recommend to patch your DC’s

Here’s the link for MSRC to download the relevant KB:

We have tested the vulnerability, and we have built new content packages (ArcSight and QRadar) to identify the attack in real-time – before patching, we have also collected events from devices in an environment that is still attempting to use vulnerable netlogon – after patching.

Share This Story, Choose Your Platform

Time to market

One-day SIEM integration