Back to Intelligence

CVE-2020-1472 (Zerologon): Active Exploitation Detection and Emergency Hardening

SA
Security Arsenal Team
June 1, 2026
6 min read

Introduction

The Centre for Cybersecurity Belgium (CCB) has issued a critical warning confirming that threat actors are actively exploiting CVE-2020-1472, widely known as Zerologon. This is not a theoretical risk; it is a critical authentication bypass vulnerability in the Windows Netlogon Remote Protocol (MS-NRPC) that allows an unauthenticated attacker with network access to a Domain Controller (DC) to completely compromise the Active Directory (AD) forest.

With a CVSS score of 10.0, this vulnerability represents a "path to God" for adversaries. Successful exploitation allows an attacker to impersonate any machine, including the DC itself, reset the DC machine account password, and gain Domain Administrator privileges. Given the active exploitation status, defenders must assume breach and prioritize detection alongside emergency patching.

Technical Analysis

  • CVE ID: CVE-2020-1472
  • CVSS Score: 10.0 (Critical)
  • Affected Products: Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 (Specifically Domain Controllers).
  • Component: Netlogon Remote Protocol (MS-NRPC)
  • Vulnerability Mechanism: The flaw stems from a cryptographic error in the AES-128 CFB8 implementation used by Netlogon. By sending a specific string of zeros in the Netlogon authentication session, an attacker can bypass the signature verification entirely.
  • Attack Chain:
    1. Unauthenticated network access to the Domain Controller via TCP port 445 (SMB/MSRPC).
    2. Attacker sends a sequence of Netlogon RPC calls with the zero-vulnerability string to disable signing and verification.
    3. Attacker calls the NetrServerPasswordSet2 RPC method to change the DC computer account password to an empty string.
    4. Attacker impersonates the DC, establishes a Machine Account (MA) credential, and requests a Ticket Granting Ticket (TGT).
    5. Attacker uses DCSync (Directory Replication Services (DRS)) privileges to dump all NTLM hashes from the NTDS.dit file.
  • Exploitation Status: Confirmed active exploitation in the wild. Proof-of-Concept (PoC) exploit code is public and widely integrated into offensive tools.

Detection & Response

Active exploitation of Zerologon often leaves specific artifacts in the Security Event Log regarding computer account changes and suspicious authentication failures. The following rules and queries are designed to hunt for the immediate effects of the exploit—specifically the password reset of the DC account.

Sigma Rules

YAML
---
title: Zerologon - DC Machine Account Password Reset
id: 852e413d-fc28-4e3d-9e5b-7f3e1f5c9d1e
status: experimental
description: Detects changes to the Domain Controller computer account password, a key post-exploitation step in CVE-2020-1472.
references:
  - https://support.microsoft.com/en-us/help/4557222
author: Security Arsenal
date: 2020/09/12
tags:
  - attack.privilege_escalation
  - attack.t1078
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4742
    SubjectUserName|endswith: '$'
    TargetUserName|endswith: '$'
  filter:
    SubjectUserName: '*$'
    SubjectUserName: TargetUserName
  condition: selection and not filter
falsepositives:
  - Legitimate scheduled password changes for computer accounts (rare for DCs manually)
level: critical
---
title: Potential Zerologon Exploit Tool Execution
id: 9f8b1c2d-3e4a-4f5b-9e6c-7d8e9f0a1b2c
status: experimental
description: Detects execution of known public PoC scripts or tools related to CVE-2020-1472 (Zerologon).
references:
  - https://github.com/dirkjanm/CVE-2020-1472
author: Security Arsenal
date: 2020/09/12
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_cli:
    CommandLine|contains:
      - 'zerologon'
      - 'cve-2020-1472'
      - 'mimikatz"
      - 'lsadump::dcsync'
  selection_image:
    Image|endswith:
      - '\python.exe'
      - '\python3.exe'
  condition: 1 of selection_*
falsepositives:
  - Security administrators testing patch status
level: high

KQL (Microsoft Sentinel / Defender)

This query hunts for Event ID 4742 (A computer account was changed) specifically targeting the Domain Controller accounts. This is the most reliable indicator of successful Zerologon exploitation.

KQL — Microsoft Sentinel / Defender
SecurityEvent
| where EventID == 4742
| where TargetUserName endswith "$"
| extend IsDC = column_ifexists("IsDomainController", false)
| project TimeGenerated, Computer, SubjectUserName, TargetUserName, SamAccountName, PasswordLastSet
| where PasswordLastSet < time(ago(1m)) // Focus on recent changes
| sort by TimeGenerated desc

Velociraptor VQL

This artifact hunts for the specific patch level for Zerologon by checking the netlogon.dll version on Windows systems. It identifies if the system is vulnerable to the August 2020 exploit.

VQL — Velociraptor
-- Hunt for vulnerable netlogon.dll versions (Pre-Aug 2020 patches)
SELECT 
  OSInfo.Fqdn as Hostname,
  OSInfo.OSVersion,
  M.Data as Version,
  M.FullPath as Path
FROM glob(globs="C:/Windows/System32/netlogon.dll")
  // Parse PE version information
  SELECT parse_string_with_regex(data=Data, regex="File Version: (?P<Version>[\d\.]+)").Version as Version
  FROM magic(file=FullPath)
  WHERE Version < "6.1.7601.24111" OR Version < "6.3.9600.19602" OR Version < "10.0.14393.3866" OR Version < "10.0.17763.1397" OR Version < "10.0.18362.1139" OR Version < "10.0.19041.508"
GROUP BY Hostname

Remediation Script (PowerShell)

This script checks if the system is a Domain Controller, verifies the installation of the August 11, 2020 security update (or later), and checks the Netlogon patch enforcement state.

PowerShell
# Check for Zerologon Vulnerability (CVE-2020-1472) Remediation Status
Write-Host "[+] Checking CVE-2020-1472 (Zerologon) Status..."

# 1. Verify if the machine is a Domain Controller
$IsDC = (Get-WindowsFeature -Name AD-Domain-Services).Installed
if (-not $IsDC) {
    Write-Host "[INFO] This machine is not a Domain Controller. Standard patching applies."
    exit 0
}

Write-Host "[ALERT] This machine is a Domain Controller. Patching is CRITICAL."

# 2. Check for the specific HotFix IDs for Aug 2020 Update
# KB4575686 (Win 2008 R2), KB4575688 (Win 2012/R2), KB4575684 (Win 2016), KB4575683 (Win 2019)
$PatchIDs = @("KB4575686", "KB4575688", "KB4575684", "KB4575683", "KB4577016", "KB4577015")
$InstalledPatches = Get-HotFix | Select-Object -ExpandProperty HotFixID

$PatchInstalled = $false
foreach ($ID in $PatchIDs) {
    if ($InstalledPatches -contains $ID) {
        Write-Host "[SUCCESS] Critical Patch $ID is installed."
        $PatchInstalled = $true
    }
}

if (-not $PatchInstalled) {
    Write-Host "[CRITICAL] Critical August 2020 patch not found. System is vulnerable to Zerologon."
}

# 3. Check Netlogon.dll Version as a secondary verification
$NetlogonPath = "$env:SystemRoot\System32\netlogon.dll"
if (Test-Path $NetlogonPath) {
    $VerInfo = (Get-Item $NetlogonPath).VersionInfo.FileVersionRaw
    # Note: Comparison logic would need specific version numbers per OS build.
    # This block highlights the need to check the file version if HotFix check fails.
    Write-Host "[INFO] Current Netlogon.dll Version: $VerInfo"
} else {
    Write-Host "[ERROR] Netlogon.dll not found."
}

Write-Host "[+] Recommendation: Apply the latest cumulative update immediately and enable secure mode via registry if supported by your environment."

Remediation

  1. Patch Immediately: Apply the August 11, 2020 security updates (or later cumulative updates) to all Domain Controllers immediately. This is the only way to fully secure the vulnerable cryptographic implementation.

    • Windows Server 2008 R2: KB4575686
    • Windows Server 2012 / 2012 R2: KB4575688
    • Windows Server 2016: KB4575684
    • Windows Server 2019: KB4575683 / KB4577016
    • Note: Windows updates from August 2020 onward contain the fix.

  2. Monitor for Enforce Mode: The patches initially ran in "compatibility mode" (logging only) to allow time for testing non-compliant devices. Full enforcement (blocking vulnerable connections) was enforced via updates in early 2021. Ensure your DCs are fully updated to handle secure RPC enforcement.

  3. Reset DC Passwords: If you suspect you have been compromised, simply patching is not enough. The attacker may have already established persistence. You must reset the password for the Domain Controller machine account and the KRBTGT account twice to invalidate any cached Kerberos tickets.

  4. Official Advisory: Refer to Microsoft Security Advisory CVE-2020-1472 for detailed guidance on patching and non-Windows device compatibility.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoftzerologoncve-2020-1472

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action