SIEM Content Packages For CVE-2020-1472 – ZeroLogon By Cyray
As you know, one of the most critical vulnerabilities has recently been published – ZeroLogon
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’. (MITRE)
Before diving into details – We strongly recommend to patch your DC’s
Here’s the link for MSRC to download the relevant KB:
We have tested the vulnerability, and we have built new content packages (ArcSight and QRadar) to identify the attack in real-time – before patching, we have also collected events from devices in an environment that is still attempting to use vulnerable netlogon – after patching.