Resetting a domain controller's password to nothing (Zerologon)
A flaw in Netlogon let an unauthenticated attacker on the network set a domain controller's machine password to empty, then take the domain. Here is Zerologon, why it was catastrophic, and the fix.
No credentials, just a network path to a domain controller, and the whole domain falls in seconds.
What it is
Zerologon (CVE-2020-1472) was a cryptographic flaw in the Netlogon protocol that let an unauthenticated attacker with network access to a domain controller set the DC’s machine-account password to an empty value, then authenticate as that DC and replicate every credential. This is T1190 (exploit public-facing application) and T1068 (exploitation for privilege escalation) into T1558. It became a staple of ransomware intrusions.
Why it works
It required no credentials, only network access, and went from zero to full domain compromise in seconds. Recovery is also tricky, because the DC’s directory object and local machine password fall out of sync.
How to detect it
Look for a burst of Netlogon authentication attempts to a domain controller and a machine-account password change for a DC from an unexpected source; Event 4742 on the DC computer object.
The fix that holds
Patch (the August 2020 update plus enforcement mode), enable enforced Netlogon secure channel, and monitor for vulnerable connections. If exploited, reset the DC machine password properly and treat it as full domain compromise.
Practice it
We built a Zerologon scenario in GraphLattice Range so teams work the detection and the careful recovery the password desync demands.