Zeek Package Manager
 

zerologon

https://github.com/corelight/zerologon
4
11
3
1
Last Push 11/10/21, 4:06 PM

Zerologon

Summary

A Zeek detection package for CVE-2020-1472, also known as Zerologon, which is a CVSS 10.0 privilege escalation vulnerability against the Netlogon protocol for Windows Server domain controllers.

Notices

By default, both notices are raised:

  • Zerologon_Attempt indicates the requisite number of login attempts were made within a short period of time.
  • Zerologon_Password_Change indicates the above, and a successful password change occurred.

By redefing notice_on_exploit_only to T in cluster.zeek, only the Zerologon_Password_Change notice will be generated.

Usage and Notes

  • Tested on Zeek versions 3.3.0-dev.53-debug and 3.2.0, and Corelight Sensor v19. It should work with Zeek 3.0 and higher.
  • This package will run in both clustered and non-clustered environments.
  • Developed against the included attack PCAPs.

References

  • https://www.secura.com/blog/zero-logon
  • https://www.secura.com/pathtoimg.php?id=2055
  • https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
  • https://corelight.blog/2020/09/16/detecting-zerologon-cve-2020-1472-with-zeek/

Package Version :

Description :

Detects Zerologon (CVE-2020-1472) attempts and exploits.

Script Dir :

scripts

Test Command :

cd testing && btest -c btest.cfg

Package Checks :

License:
Info:
Found license 'COPYING'
Readme:
Info:
Found readme 'README.md'
Build Command:
Bad Extension:
Expensive Events:
Unsafe Functions:
Charset: