Detections
Analytics
Unsecured Configuration of Netlogon Protocol
critical
Language:
Description
The vulnerability described by CVE-2020-1472 ("Zerologon") allows an unauthenticated attacker to connect to a domain controller to obtain domain administrator access.
Solution
The registry key that forces secure RPC calls for Netlogon protocol should be applied on all DCs in the forest.
See Also
CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability
How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472
[MS-NRPC]: Netlogon Remote Protocol
[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)
Indicator Details
Name: Unsecured Configuration of Netlogon Protocol
Codename: C-NETLOGON-SECURITY
Severity: Critical
- Tactic: TA0008 - Lateral Movement
- Techniques: T1210 - Exploitation of Remote Services
Attacker Known Tools
Dirk-jan Mollema: CVE-2020-1472 POC
Benjamin Delpy: Mimikatz - LsaDump Zerologon