Emerging Threathightest

Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC

Detects the execution of the commonly used ZeroLogon PoC executable.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

kostastsale, TheDFIRReportCreated Sat Feb 12dcc6a01e-9471-44a0-a699-71ea96f8ed8b2020

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection_main:
        ParentImage|endswith: '\cmd.exe'
        Image|endswith:
            - '\cool.exe'
            - '\zero.exe'
        CommandLine|contains|all:
            - 'Administrator'
            - '-c'
    selection_payloads_1:
        CommandLine|contains|all:
            - 'taskkill'
            - '/f'
            - '/im'
    selection_payloads_2:
        CommandLine|contains: 'powershell'
    condition: selection_main and 1 of selection_payloads_*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0002 · Execution TA0008 · Lateral Movement

Techniques

T1210 · Exploitation of Remote Services

Other

cve.2020-1472detection.emerging-threats

Rule Metadata

Rule ID

dcc6a01e-9471-44a0-a699-71ea96f8ed8b

Status

test

Level

high

Type

Emerging Threat

Created

Sat Feb 12

Author

kostastsale, TheDFIRReport

Path

rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml

Raw Tags

attack.executionattack.lateral-movementattack.t1210cve.2020-1472detection.emerging-threats

View on GitHub