SIEM Content Packages For CVE-2020-1472 – ZeroLogon By Cyray
As you know, one of the most critical vulnerabilities has recently been published – ZeroLogon
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. (MITRE)
Before diving into details – We strongly recommend to patch your DC’s
Here’s the link for MSRC to download the relevant KB:
We have tested the vulnerability, and we have built new content packages (ArcSight and QRadar) to identify the attack in real-time – before patching, we have also collected events from devices in an environment that is still attempting to use vulnerable netlogon – after patching.
A little bit about the process
We used this PoC for ZeroLogon:
We ran the exploit from a machine in the domain to the DC:
And from the DC we got the combination of these two events at the same time:
- Event ID: 5805
- Type: System
- A computer account was changed
- Event ID: 4742
- Type: Security
- Source User Name: Anonymous Logon
Where the computer account from the event 4742 equals to the device host name from the event 5805.
By this data we built the first part of the package that recognizes the attack – before patching.
The second part of the package is based on Windows’ recommendations and will function only after patching the DC’s – because the event ID’s we’re searching for will be generated in the DC only after the patch.
Based on this data, we built a mechanism that follows vulnerable Netlogon usage in an environment – most of the attempts should be blocked, unless there’s an approval by the GPO.
Our packages are available in these links – and will be frequently updated
- The ArcSight package was last updated on 04.11.20:
- We added a mapping file for the relevant windows logs and changed the resources package to match.
- The file is available for download from the same path as the .arb package – named winc.zip.
- Unzip the file and locate the folder using this path:
- If the ‘winc’ directory already exists, add only the files that do not exist.
- The QRadar package was last updated on 08.10.20.
Download from GitHub:
Or download from this site:
Before Installing the Packages:
Add these specific System Events from the DC’s to the SIEM’s event collection
(most of the SIEM users are not collecting the system events, make sure you are adding these ones):
- 5805, 5827, 5828, 5829, 5830, 5831
ArcSight Package Overview:
The rules have no actions except showing the collected events on the pre-configured dashboards.
Make sure to configure actions with the SIEM team.
QRadar Package Overview:
If it's the first installation, use this command: /opt/qradar/bin/contentManagement.pl -a import -f <content file> If it's an upgrade, use this command: /opt/qradar/bin/contentManagement.pl -a update -f <content file>
Rules (Rule Group Name – “ZeroLogon CVE-2020-1472”):
There’s an explanation for each rule in the “Notes” section.
There is just one Offense Rule in the list – “ZeroLogon: Windows: Zerologon Attack Was Executed”
The action for other rules is “Dispatch New Event”
Building Blocks (Rule Group Name – “ZeroLogon CVE-2020-1472”):
The name of the Dashboard is “ZeroLogon”.
Important – These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.
You are welcome to contact us for any further details.
Maayan Shlomo – email@example.com
Michael Vashinsky – firstname.lastname@example.org