Primary Search for Local Domain Controller Exploitation by Zerologon index=”<windows_index>” (sourcetype=”<windows_sourcetype_security>” OR source=”windows_source_security”) EventCode=”4742″ OR EventCode=”4624″ AND (src_user=”*anonymous*” OR member_id=”*S-1-0*”) `comment(“This looks for all 4624 and 4742 events under an ‘ANONYMOUS USER’, which are tied to the exploitation of Zerologon”)` | eval local_system=mvindex(upper(split(user,”$”)),0) `comment(“This effectively splits the user field, which when parsed with the TA […]