detect_zerologon_attack.yml

name: Detect Zerologon Attack
id: 5d14a962-569e-4578-939f-f386feb63ce4
version: 1
date: '2020-09-18'
author: Rod Soto, Jose Hernandez, Stan Miskowicz, David Dorsey, Shannon Davis Splunk
description: Uncover activity related to the execution of Zerologon CVE-2020-11472,
  a technique wherein attackers target a Microsoft Windows Domain Controller to reset
  its computer account password. The result from this attack is attackers can now
  provide themselves high privileges and take over Domain Controller. The included
  searches in this Analytic Story are designed to identify attempts to reset Domain
  Controller Computer Account via exploit code remotely or via the use of tool Mimikatz
  as payload carrier.
narrative: This attack is a privilege escalation technique, where attacker targets
  a Netlogon secure channel connection to a domain controller, using Netlogon Remote
  Protocol (MS-NRPC). This vulnerability exposes vulnerable Windows Domain Controllers
  to be targeted via unaunthenticated RPC calls which eventually reset Domain Contoller
  computer account ($) providing the attacker the opportunity to exfil domain controller
  credential secrets and assign themselve high privileges that can lead to domain
  controller and potentially complete network takeover. The detection searches in
  this Analytic Story use Windows Event viewer events and Sysmon events to detect
  attack execution, these searches monitor access to the Local Security Authority
  Subsystem Service (LSASS) process which is an indicator of the use of Mimikatz tool
  which has bee updated to carry this attack payload.
references:
- https://attack.mitre.org/wiki/Technique/T1003
- https://github.com/SecuraBV/CVE-2020-1472
- https://www.secura.com/blog/zero-logon
- https://nvd.nist.gov/vuln/detail/CVE-2020-1472
tags:
  category:
  - Adversary Tactics
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection