Suspicious DC Password Change



The critical CVE-2020-1472 named as Zerologon is an attack that abuses a cryptography flaw in the Netlogon protocol, allowing an attacker to establish a Netlogon secure channel with a domain controller as any computer. From there, several post exploitation techniques can be used to achieve privilege escalation, such as domain controller account password change, coerced authentication, DCSync attacks, and others. The ZeroLogon exploit is often mistaken with the post exploitation activities using the actual Netlogon spoofed authentication bypass (addressed by the IOA 'Zerologon Exploitation'). This indicator focuses on one of the post exploitation activities that can be used in conjunction with the Netlogon vulnerability: the modification of the domain controller machine account password.

See Also

MITRE ATT&CK description

Security policy settings - Domain member: Maximum machine account password age

Use Netdom.exe to reset machine account passwords of a Windows Server domain controller

Machine Account Password Process

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

Indicator Details

Name: Suspicious DC Password Change

Codename: I-DcPasswordChange

Severity: Critical

MITRE ATT&CK Information:
ID: T1210
Sub-technique of: T1210
Tactic: TA0008