In recent months, the Tesorion CERT (T-CERT) identified an attacker that was able to execute commands, using an account with Domain Administator privileges, only three minutes after initial access. Further analysis identified exploitation of the ZeroLogon vulnerability (CVE-2020-1472).
We investigated three possible attack scenarios which an attacker could use after exploiting the ZeroLogon vulnerability. The T-CERT simulated each scenario to identify Indicators of Compromise which are related to these attack scenarios when carried out using the Mimikatz tool.
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.