From dbb18b89dc1b1922f3f010fb7f8e8408ec638230 Mon Sep 17 00:00:00 2001
From: Alexander Akhremchik <av.akhremchik@jet.msk.su>
Date: Sat, 17 Oct 2020 00:05:49 +0300
Subject: [PATCH 1/3] add zerologon rule

---
 .../builtin/win_privesc_cve_2020_1472.yml     | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/windows/builtin/win_privesc_cve_2020_1472.yml

diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
new file mode 100644
index 000000000..2d8c1d34e
--- /dev/null
+++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
@@ -0,0 +1,28 @@
+title: 'Possible Zerologon (CVE-2020-1472) exploitation'
+id: dd7876d8-0f09-11eb-adc1-0242ac120002
+status: experimental
+description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)
+references:
+    - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
+    - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/
+author: 'Aleksandr Akhremchik, @aleqs4ndr, ocsd.community'
+date: 2020/10/15
+tags:
+    - attack.t1068
+    - attack.privilege_escalation
+logsource:
+    product: windows
+    service: security
+detection:
+    selection:
+        EventID: 4742
+        SourceUserName: 'ANONYMOUS LOGON'
+        TargetUserName: '%DC-MACHINE-NAME$%' # DC machine account name that ends with '$'
+    filter:
+        ChangedAttributes|contains:
+            - 'Password Last Set:	-'
+    condition: selection and not filter
+falsepositives:
+    - automatic DC computer account password change
+    - legitimate DC computer account password change
+level: high

From 860dc24e4b484357dafa1ceb05236ab3d8c78277 Mon Sep 17 00:00:00 2001
From: Alexander Akhremchik <av.akhremchik@jet.msk.su>
Date: Sat, 17 Oct 2020 01:13:57 +0300
Subject: [PATCH 2/3] add zerologon rule

---
 rules/windows/builtin/win_privesc_cve_2020_1472.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
index 2d8c1d34e..8eb85313f 100644
--- a/rules/windows/builtin/win_privesc_cve_2020_1472.yml
+++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
@@ -17,7 +17,7 @@ detection:
     selection:
         EventID: 4742
         SourceUserName: 'ANONYMOUS LOGON'
-        TargetUserName: '%DC-MACHINE-NAME$%' # DC machine account name that ends with '$'
+        TargetUserName: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$'
     filter:
         ChangedAttributes|contains:
             - 'Password Last Set:	-'

From 451187bfbd197cf0625692517596169968ff1082 Mon Sep 17 00:00:00 2001
From: Alexander Akhremchik <av.akhremchik@jet.msk.su>
Date: Sat, 17 Oct 2020 01:26:02 +0300
Subject: [PATCH 3/3] fixed title capitalization

---
 rules/windows/builtin/win_privesc_cve_2020_1472.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
index 8eb85313f..25f9d8143 100644
--- a/rules/windows/builtin/win_privesc_cve_2020_1472.yml
+++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml
@@ -1,4 +1,4 @@
-title: 'Possible Zerologon (CVE-2020-1472) exploitation'
+title: 'Possible Zerologon (CVE-2020-1472) Exploitation'
 id: dd7876d8-0f09-11eb-adc1-0242ac120002
 status: experimental
 description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472)