ZeroLogon (CVE-2020-1472) An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network.
This package includes the following rules which helping with detecting ZeroLogon vulnerability and attack using ArcSight ESM
Mimikatz Outbound RPC Connection to DC
ZeroLogon Attack Detected
ZeroLogon Vulnerability Detected
Password Last Set field changed by ANONYMOUS LOGON
Vulnerable Netlogon Secure Channel Detected
ArcSight ESM 7.0
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
please refer to Zerologon_ReleaseNotes.pdf which attached with this package
refer to the Zerologon_ReleaseNotes.pdf which included with this package.
Related content and resources
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox