This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create Post
code_heaven
Level 9
‎10-05-2020 03:53 AM

ZeroLogon Exploitation Rule set

Jump to solution

Hello,

Has anyone been able to come up with a custom rule to detect ZeroLogon vulnerability exploitation? I will like to here from anyone that has created a rule.

cheers!!!

0 Kudos
Reply
2 Solutions
ihsanjhakeem
Level 8
3 weeks ago

Jump to solution
you can create something like this
 
Rule is true when
ServiceWarning.ProviderSID
is equal to *5828
OR
 ServiceWarning.ProviderSID
is equal to  *5827
OR
 ServiceWarning.ProviderSID
is equal to *5829
 

View solution in original post

Reply
code_heaven
Level 9
In response to ihsanjhakeem
3 weeks ago

Jump to solution

Thanks. 

Does Solarwinds assist customers in creating custom rules like this, especially when new threats appears in  the InfoSec space? ? e.g. Does Solarwinds have USE CASE like other vendors? 

View solution in original post

0 Kudos
Reply
4 Replies
ihsanjhakeem
Level 8
3 weeks ago

Jump to solution
you can create something like this
 
Rule is true when
ServiceWarning.ProviderSID
is equal to *5828
OR
 ServiceWarning.ProviderSID
is equal to  *5827
OR
 ServiceWarning.ProviderSID
is equal to *5829
 

View solution in original post

Reply
code_heaven
Level 9
In response to ihsanjhakeem
3 weeks ago

Jump to solution

Thanks. 

Does Solarwinds assist customers in creating custom rules like this, especially when new threats appears in  the InfoSec space? ? e.g. Does Solarwinds have USE CASE like other vendors? 

View solution in original post

0 Kudos
Reply
ihsanjhakeem
Level 8
In response to code_heaven
3 weeks ago

Jump to solution

This will have to be created manually or custom rules. I don't think solarwind SEM have constant updates for new rules. 

You can call them for support to create a rule for you.

0 Kudos
Reply
ihsanjhakeem
Level 8
‎10-08-2020 09:54 AM

Jump to solution

Check first if you have any events for this before creating a rule. 

Once you find the event you can create easily 

Here is a script to check 

https://support.microsoft.com/en-us/help/4557233/script-to-help-in-monitoring-event-ids-related-to-c...

 

Please read this 

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channe....

 

0 Kudos
Reply

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
© 2021 SolarWinds Worldwide, LLC. All Rights Reserved.