Skip to content

corelight/zerologon

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
scripts
scripts
 
 
testing
testing
 
 
.gitignore
.gitignore
 
 
COPYING
COPYING
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
bro-pkg.meta
bro-pkg.meta
 
 
zkg.meta
zkg.meta
 
 

Repository files navigation

Zerologon

Summary

A Zeek detection package for CVE-2020-1472, also known as Zerologon, which is a CVSS 10.0 privilege escalation vulnerability against the Netlogon protocol for Windows Server domain controllers.

Notices

By default, both notices are raised:

  • Zerologon_Attempt indicates the requisite number of login attempts were made within a short period of time.
  • Zerologon_Password_Change indicates the above, and a successful password change occurred.

By redefing notice_on_exploit_only to T in cluster.zeek, only the Zerologon_Password_Change notice will be generated.

Usage and Notes

  • Tested on Zeek versions 3.3.0-dev.53-debug and 3.2.0, and Corelight Sensor v19. It should work with Zeek 3.0 and higher.
  • This package will run in both clustered and non-clustered environments.
  • Developed against the included attack PCAPs.

References

About

Zeek package to detect Zerologon

Resources

Readme

License

View license
Activity
Custom properties

Stars

12 stars

Watchers

6 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages