Unsecured Configuration of Netlogon Protocol



The vulnerability described by CVE-2020-1472 ("Zerologon") allows an unauthenticated attacker to connect to a domain controller to obtain domain administrator access.


The registry key that forces secure RPC calls for Netlogon protocol should be applied on all DCs in the forest.

See Also

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

[MS-NRPC]: Netlogon Remote Protocol

[Blog] Zerologon: instantly become domain admin by subverting Netlogon cryptography (CVE-2020-1472)

Indicator Details

Name: Unsecured Configuration of Netlogon Protocol


Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0008

Techniques: T1210

Attacker Known Tools

Dirk-jan Mollema: CVE-2020-1472 POC

Benjamin Delpy: Mimikatz - LsaDump Zerologon