Under Review

T1078 - CVE-2020-1472 - Netlogon

This is an older vulnerability but still nice to showcase the capabilities of how XDR can discover CVEs.

This query will search and detect Windows vulnerability affecting the Netlogon feature. 

Sophos Security Bulletin: https://community.sophos.com/b/security-blog/posts/microsoft-cve-2020-1472-netlogon-elevation-of-privilege-vulnerability-aka-zerologon

SELECT * FROM  sophos_windows_events
WHERE source = "Security"
AND (eventid LIKE '4742'
AND data LIKE regex_match(data,"\{\\\"EventData\\\":\{.+\\\"SubjectUserSid\\\":\\\"S-1-5-7\\\"PasswordLastSet\\\":\\\"[^-].+\}$",0)

NOTE: results do not guarantee you are compromised. Please interpret them on an individual basis. Microsoft patched this vulnerability in 2020 and another updated feature patch in 2021.