Exploitation Attempt Of CVE-2020-1472 - Execution of ZeroLogon PoC

    Wednesday, September 18, 2024 In: Threat Research Print

    Date: 09/18/2024

    Severity: Medium

    Summary

    The "Exploitation Attempt of CVE-2020-1472 - Execution of ZeroLogon PoC" refers to the exploitation of a critical vulnerability in Microsoft Windows' Netlogon protocol, identified as CVE-2020-1472. This vulnerability allows attackers to impersonate any computer on a domain, potentially gaining unauthorized access to sensitive data and systems. The Proof of Concept (PoC) demonstrates how an attacker can leverage this flaw to escalate privileges and execute malicious code. The threat underscores the importance of timely patching and network security measures to mitigate risks associated with this severe vulnerability.

    Indicators of Compromise (IOC) List

    Image

    '\cool.exe'

    '\zero.exe'

    ParentImage

    '\cmd.exe'

    CommandLine

    'Administrator'

    '-c'

    'taskkill'

    '/f'

    '/im'

    'powershell'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    ((resourcename in ("Sysmon") AND eventtype = "1") AND image IN ("\cool.exe","\zero.exe") AND parentimage IN ("\cmd.exe") AND commandline IN ("Administrator","-c","taskkill","/f","/im","powershell"))

    Detection Query 2

    (technologygroup = "EDR" AND image IN ("\cool.exe","\zero.exe") AND parentimage IN ("\cmd.exe") AND commandline IN ("Administrator","-c","taskkill","/f","/im","powershell"))

    Reference: 

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2020/Exploits/CVE-2020-1472/proc_creation_win_exploit_cve_2020_1472_zero_poc.yml


    Tags

    SigmaExploitCVE-2020

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.