Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Semperis DSP Zerologon vulnerability

Semperis DSP Zerologon vulnerability

Back
Id85c1f9e4-6f14-46bf-82d5-dbe495b92aab
RulenameSemperis DSP Zerologon vulnerability
DescriptionThis indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1068
Required data connectorsSemperisDSP
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml
Version2.0.7
Arm template85c1f9e4-6f14-46bf-82d5-dbe495b92aab.json
Deploy To Azure
dsp_parser
| where EventID == 9212
| where SecurityIndicatorName == "Zerologon vulnerability"
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

tactics:
- PrivilegeEscalation
triggerOperator: gt
requiredDataConnectors:
- connectorId: SemperisDSP
  dataTypes:
  - dsp_parser
relevantTechniques:
- T1068
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
  entityType: Host
id: 85c1f9e4-6f14-46bf-82d5-dbe495b92aab
queryPeriod: 1h
name: Semperis DSP Zerologon vulnerability
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml
queryFrequency: 1h
description: |
    'This indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain.'
version: 2.0.7
query: |
  dsp_parser
  | where EventID == 9212
  | where SecurityIndicatorName == "Zerologon vulnerability"
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
triggerThreshold: 0
severity: Medium
status: Available
kind: Scheduled