Unsecured Configuration of Netlogon Protocol

critical

Description

The vulnerability described by CVE-2020-1472 ("Zerologon") allows an unauthenticated attacker to connect to a domain controller to obtain domain administrator access.

Solution

The registry key that forces secure RPC calls for Netlogon protocol should be applied on all DCs in the forest.

See Also

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

[MS-NRPC]: Netlogon Remote Protocol

[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

Indicator Details

Name: Unsecured Configuration of Netlogon Protocol

Codename: C-NETLOGON-SECURITY

Severity: Critical

MITRE ATT&CK Information:

Attacker Known Tools

Dirk-jan Mollema: CVE-2020-1472 POC

Benjamin Delpy: Mimikatz - LsaDump Zerologon