Detectioncriticalstable
Zerologon Exploitation Using Well-known Tools
This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Demyan Sokolin, Teymur Kheirkhabarov, oscd.communityCreated Tue Oct 13Updated Sun May 3018f37338-b9bd-4117-a039-280c81f7a596windows
Log Source
Windowssystem
ProductWindows← raw: windows
Servicesystem← raw: system
Detection Logic
Detection Logic2 selectors
detection:
selection:
EventID:
- 5805
- 5723
keywords:
- kali
- mimikatz
condition: selection and keywordsMITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
18f37338-b9bd-4117-a039-280c81f7a596
Status
stable
Level
critical
Type
Detection
Created
Tue Oct 13
Modified
Sun May 30
Path
rules/windows/builtin/system/netlogon/win_system_possible_zerologon_exploitation_using_wellknown_tools.yml
Raw Tags
attack.t1210attack.lateral-movement