Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Semperis DSP Zerologon vulnerability

Semperis DSP Zerologon vulnerability

Back
Id85c1f9e4-6f14-46bf-82d5-dbe495b92aab
RulenameSemperis DSP Zerologon vulnerability
DescriptionThis indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1068
Required data connectorsSemperisDSP
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml
Version2.0.7
Arm template85c1f9e4-6f14-46bf-82d5-dbe495b92aab.json
Deploy To Azure
dsp_parser
| where EventID == 9212
| where SecurityIndicatorName == "Zerologon vulnerability"
| extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))

name: Semperis DSP Zerologon vulnerability
severity: Medium
description: |
    'This indicator looks for security vulnerability to CVE-2020-1472, which was patched by Microsoft in August 2020. Without this patch, an unauthenticated attacker can exploit CVE-2020-1472 to elevate their privileges and get administrative access on the domain.'
version: 2.0.7
requiredDataConnectors:
- dataTypes:
  - dsp_parser
  connectorId: SemperisDSP
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1068
entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: DnsDomain
triggerThreshold: 0
status: Available
queryPeriod: 1h
kind: Scheduled
triggerOperator: gt
query: |
  dsp_parser
  | where EventID == 9212
  | where SecurityIndicatorName == "Zerologon vulnerability"
  | extend HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))  
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Semperis Directory Services Protector/Analytic Rules/SemperisDSP_ZerologonVulnerability.yaml
id: 85c1f9e4-6f14-46bf-82d5-dbe495b92aab