Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Semperis DSP Zerologon vulnerability

Semperis DSP Zerologon vulnerability

Back
Id85c1f9e4-6f14-46bf-82d5-dbe495b92aab
RulenameSemperis DSP Zerologon vulnerability
DescriptionThis indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1068
Required data connectorsSemperisDSP
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml
Version2.0.7
Arm template85c1f9e4-6f14-46bf-82d5-dbe495b92aab.json
Deploy To Azure
dsp_parser
| where EventID == 9212
| where SecurityIndicatorName == "Zerologon vulnerability"
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

version: 2.0.7
id: 85c1f9e4-6f14-46bf-82d5-dbe495b92aab
triggerThreshold: 0
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: HostName
    identifier: HostName
  - columnName: DnsDomain
    identifier: DnsDomain
queryPeriod: 1h
name: Semperis DSP Zerologon vulnerability
queryFrequency: 1h
requiredDataConnectors:
- dataTypes:
  - dsp_parser
  connectorId: SemperisDSP
severity: Medium
relevantTechniques:
- T1068
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml
description: |
    'This indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain.'
kind: Scheduled
status: Available
query: |
  dsp_parser
  | where EventID == 9212
  | where SecurityIndicatorName == "Zerologon vulnerability"
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
tactics:
- PrivilegeEscalation
triggerOperator: gt