A Zeek detection package for CVE-2020-1472, also known as Zerologon, which is a CVSS 10.0 privilege escalation vulnerability against the Netlogon protocol for Windows Server domain controllers.
By default, both notices are raised:
Zerologon_Attemptindicates the requisite number of login attempts were made within a short period of time.
Zerologon_Password_Changeindicates the above, and a successful password change occurred.
Zerologon_Password_Change notice will be generated.
Usage and Notes
- Tested on Zeek versions
3.2.0, and Corelight Sensor v19. It should work with Zeek 3.0 and higher.
- This package will run in both clustered and non-clustered environments.
- Developed against the included attack PCAPs.