What starting position does this attack require?

The first step is Identify unpatched DC (T1018) — a discovery primitive. Assumed environment: a DC unpatched against CVE-2020-1472 is reachable over RPC.

What is the final impact of this kill-chain?

The final step lands on Reset DC$ password via Netlogon (AD-ZL), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 5 steps · 4 edges

Approved

ZeroLogon (CVE-2020-1472) → Domain takeover

Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Discovery

Identify unpatched DC

T1018 · Remote System Discovery

Credential Access

Forge Golden Ticket with krbtgt

T1558.001 · Golden Ticket

Credential Access

DCSync with empty DC$ password

T1003.006 · DCSync

secretsdump.py -no-pass -just-dc <dom>/<dc>$@<dc>

Privilege Escalation

Restore DC$ password

AD-ZL · ZeroLogon (CVE-2020-1472)

Critical: re-uploading the original $MACHINE.ACC blob avoids breaking DC replication.

Privilege Escalation

Reset DC$ password via Netlogon

AD-ZL · ZeroLogon (CVE-2020-1472)

zerologon_tester.py / set_empty_pw.py — auth bypass via all-zero ClientCredential.

§ Context

Assumed environment: a DC unpatched against CVE-2020-1472 is reachable over RPC. Network access to TCP 135 / dynamic RPC ports on the DC is required.

§ Steps

01
Identify unpatched DCDiscovery
T1018— Remote System Discovery
02
Forge Golden Ticket with krbtgtCredential Access
T1558.001— Golden Ticket
03
DCSync with empty DC$ passwordCredential Access
T1003.006— DCSync
secretsdump.py -no-pass -just-dc <dom>/<dc>$@<dc>
04
Restore DC$ passwordPrivilege Escalation
AD-ZL— ZeroLogon (CVE-2020-1472)
Critical: re-uploading the original $MACHINE.ACC blob avoids breaking DC replication.
05
Reset DC$ password via NetlogonPrivilege Escalation
AD-ZL— ZeroLogon (CVE-2020-1472)
zerologon_tester.py / set_empty_pw.py — auth bypass via all-zero ClientCredential.

§ References

§ Frequently asked

What is the "ZeroLogon (CVE-2020-1472) → Domain takeover" attack path?: Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password. It chains 5 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Identify unpatched DC (T1018) — a discovery primitive. Assumed environment: a DC unpatched against CVE-2020-1472 is reachable over RPC.
What is the final impact of this kill-chain?: The final step lands on Reset DC$ password via Netlogon (AD-ZL), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

ZeroLogon (CVE-2020-1472) → Domain takeover

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

No creds → Domain Admin via LLMNR poisoning and NTLM relay

Cross-trust attack: child → parent forest via SID History