Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
The Zerologon vulnerability is well known and can be exploited by code that is publicly available. An unauthenticated attacker, with network access to the vulnerable domain controller, could easily acquire domain administrator privileges and compromise a full domain on a Windows environment.
Kill Chain
Risk Score
92
An important component of Active Directory (AD) is the Netlogon remote procedure call (RPC) interface, which is available on domain controllers (DCs). Netlogon supports tasks relating to user and computer authentication, including NTLM authentication. The password of a computer account (that is stored in AD) can also be changed with Netlogon. An attacker exploits the Zerologon vulnerability by taking advantage of a cryptographic weakness in the Netlogon implementation of the AES-CFB8 encryption mode. The attacker sends several Netlogon RPC messages (NetrServerAuthenticate) with null values in various fields (1). One of the messages results in successful authentication, giving the attacker access to the DC (2). The attacker is now able to change the computer account password of the DC by sending another Netlogon RPC message (NetrServerPasswordSet) (3). With control of the password, the attacker can run tools on the DC—such as secretsdump.py or DCSync—to collect the user credentials of the domain administrator.
