Unsecured Configuration of Netlogon Protocol

critical

Description

The vulnerability described by CVE-2020-1472 ("Zerologon") allows an unauthenticated attacker to connect to a domain controller to obtain domain administrator access.

Solution

The registry key that forces secure RPC calls for Netlogon protocol should be applied on all DCs in the forest.

See Also

[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

[MS-NRPC]: Netlogon Remote Protocol

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Indicator Details

Name: Unsecured Configuration of Netlogon Protocol

Codename: C-NETLOGON-SECURITY

Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0008

Techniques: T1210

Attacker Known Tools

Dirk-jan Mollema: CVE-2020-1472 POC

Benjamin Delpy: Mimikatz - LsaDump Zerologon