EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Detect Zerologon via Zeek

The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization's IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.

MITRE ATT&CK

T1190
initial-access

Detection Query

`zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3)
  | bin span=5m _time
  | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount
    BY _time,src_ip,dest_ip
  | search opscount=3 authcount>4 passcount>0
  | search `detect_zerologon_via_zeek_filter`

Author

Shannon Davis, Splunk

Created

2026-03-10

References

Tags

Detect Zerologon AttackRhysida RansomwareBlack Basta Ransomware
Raw Content
name: Detect Zerologon via Zeek
id: bf7a06ec-f703-11ea-adc1-0242ac120002
version: 9
date: '2026-03-10'
author: Shannon Davis, Splunk
status: experimental
type: TTP
description: 'The following analytic detects attempts to exploit the Zerologon CVE-2020-1472 vulnerability via Zeek RPC. It leverages Zeek DCE-RPC data to identify specific operations: NetrServerPasswordSet2, NetrServerReqChallenge, and NetrServerAuthenticate3. This activity is significant because it indicates an attempt to gain unauthorized access to a domain controller, potentially leading to a complete takeover of an organization''s IT infrastructure. If confirmed malicious, the impact could be severe, including data theft, ransomware deployment, or other devastating outcomes. Immediate investigation of the identified IP addresses and RPC operations is crucial.'
data_source: []
search: |-
    `zeek_rpc` operation IN (NetrServerPasswordSet2,NetrServerReqChallenge,NetrServerAuthenticate3)
      | bin span=5m _time
      | stats values(operation) dc(operation) as opscount count(eval(operation=="NetrServerReqChallenge")) as challenge count(eval(operation=="NetrServerAuthenticate3")) as authcount count(eval(operation=="NetrServerPasswordSet2")) as passcount count as totalcount
        BY _time,src_ip,dest_ip
      | search opscount=3 authcount>4 passcount>0
      | search `detect_zerologon_via_zeek_filter`
how_to_implement: You must be ingesting Zeek DCE-RPC data into Splunk. Zeek data should also be getting ingested in JSON format.  We are detecting when all three RPC operations (NetrServerReqChallenge, NetrServerAuthenticate3, NetrServerPasswordSet2) are splunk_security_essentials_app via bro:rpc:json.  These three operations are then correlated on the Zeek UID field.
known_false_positives: No false positives have been identified at this time.
references:
    - https://www.secura.com/blog/zero-logon
    - https://github.com/SecuraBV/CVE-2020-1472
    - https://msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
    - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-319a
rba:
    message: Potential Zerologon activity detected
    risk_objects:
        - field: dest_ip
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Detect Zerologon Attack
        - Rhysida Ransomware
        - Black Basta Ransomware
    asset_type: Network
    cve:
        - CVE-2020-1472
    mitre_attack_id:
        - T1190
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network