Primary Search for Local Domain Controller Exploitation by Zerologon
index="<windows_index>" (sourcetype="<windows_sourcetype_security>" OR source="windows_source_security") EventCode="4742" OR EventCode="4624" AND (src_user="*anonymous*" OR member_id="*S-1-0*") `comment("This looks for all 4624 and 4742 events under an 'ANONYMOUS USER', which are tied to the exploitation of Zerologon")` | eval local_system=mvindex(upper(split(user,"$")),0) `comment("This effectively splits the user field, which when parsed with the TA for Windows, may also appear as the Target User. Since the exploit would specifically occur using a local account on the Domain Controller, it stands to reason that detecting a modified user object, modified by a local system account, would be evidence of the exploit. The split removes the '$', creating a new field, deriving the local_system name via the original user field [ie. user='NameOfDC$' would become local_system='NameofDC']")` | search host=local_system `comment("A search to only find instances of these events when the host (DC) is the same as the extracted local_system account name performing the action")` | table _time EventCode dest host ComputerName src_user Account_Name local_system user Security_ID member_id src_nt_domain dest_nt_domain
You can also modify this search to only look at your Active Directory DCs. If you have common naming schemas, you can use that as well. Please see the report linked to get more info about the CVE itself.