AD-ZLPrivilege Escalation

ZeroLogon (CVE-2020-1472)

Reset a DC's machine account password to empty via Netlogon to take over the domain.

§ Where this technique fits

AD-ZL is catalogued under the Privilege Escalation tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

ZeroLogon (CVE-2020-1472) → Domain takeover
Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.
step 2 / 5

§ What commonly comes next

01
DCSync
T1003.006 · Credential Access
seen 1×
02
Golden Ticket
T1558.001 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ZeroLogon (CVE-2020-1472) → Domain takeover

§ What commonly comes next