Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

Three attack scenarios after ZeroLogon exploit

By 23 February 2021 April 9th, 2023 Blog, CERT
aanvalsscenario's na misbruik ZeroLogon

In recent months, the Tesorion CERT (T-CERT) identified an attacker that was able to execute commands, using an account with Domain Administator privileges, only three minutes after initial access. Further analysis identified exploitation of the ZeroLogon vulnerability (CVE-2020-1472).

We investigated three possible attack scenarios which an attacker could use after exploiting the ZeroLogon vulnerability. The T-CERT simulated each scenario to identify Indicators of Compromise which are related to these attack scenarios when carried out using the Mimikatz tool.

Brute force authentication of the ZeroLogon vulnerability

The above illustration shows the network traffic used to exploit the vulnerability. You can see a brute force of the authentication which we describe in detail in the white paper ZeroLogon: Exploit, Detect & Mitigate.

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.