Detecting the presence of SharpZeroLogon tool

Prerequisite:

The rule requires Sysmon to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule aims to identify the usage of SharpZeroLogon.exe, a tool specifically designed to exploit the CVE-2020-1472 vulnerability (also known as Zerologon) within AD environments.

Data source:

Windows: process, script, user account

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0006 - Credential Access, TA0009 - Collection, TA0005 - Defense Evasion, TA0003 - Persistence, TA0004 - Privilege Escalation, TA0001 - Initial Access

Techniques: T1606 - Forge Web Credentials, T1003 - OS Credential Dumping, T1560 - Archive Collected Data, T1078 - Valid Accounts

Criteria:

Original file name ends with "SharpZeroLogon.exe": This condition checks if the original filename ends with "SharpZeroLogon.exe". This could indicate a program attempting to exploit the vulnerability.

Process name ends with "SharpZeroLogon.exe": This condition checks if the name of the running process ends with "SharpZeroLogon.exe".

When to enable this rule:

Enable this rule when you suspect unauthorized access attempts or unusual activity related to domain controllers.

Compliance mapping (NIST, CIS):

Enabling this rule will help you meet the below requirements of regulatory standards and compliance mandates pertaining to detection of malicious software installations.

NIST Cybersecurity Framework (CSF):

• Anomalies in System Process Execution (DE.AE-1): Detection of suspicious process executions or command-line arguments indicative of SharpZeroLogon usage, such as attempts to exploit the Netlogon vulnerability.
• Irregular Access to Credential Stores (DE.CM-1): Identification of unauthorized access attempts or modifications related to credential stores or system services.
• Security Log Anomalies (DE.CM-7): Alerting on activities indicating attempts to exploit authentication vulnerabilities or escalate privileges.

CIS:

• Control 8: Malware Defense: Implement mechanisms to detect and prevent the execution of SharpZeroLogon and similar tools targeting authentication vulnerabilities.
• Control 6: Maintenance, Monitoring, and Analysis of Audit Logs: Continuously monitor audit logs for anomalies indicating SharpZeroLogon usage or suspicious activities targeting authentication mechanisms.

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assigning the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.