Merge pull request #1016 from NVISO-BE/win_vul_cve_2020_1472
Added win_vul_cve_2020_1472 rule
This commit is contained in:
Florian Roth
@@ -0,0 +1,23 @@
|
||||
title: Vulnerable Netlogon Secure Channel Connection Allowed
|
||||
id: a0cb7110-edf0-47a4-9177-541a4083128a
|
||||
status: experimental
|
||||
description: Detects that a vulnerable Netlogon secure channel connection was allowed, which could be an indicator of CVE-2020-1472.
|
||||
references:
|
||||
- https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
|
||||
author: NVISO
|
||||
date: 2020/09/15
|
||||
tags:
|
||||
- attack.privilege_escalation
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
EventID:
|
||||
- 5829
|
||||
condition: selection
|
||||
fields:
|
||||
- SAMAccountName
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
Reference in New Issue
Block a user