Three attack scenarios after ZeroLogon exploit

By Tesorion Redactie 23 February 2021 March 10th, 2021 Blog, CERT

No Comments

You are here: Home » Three attack scenarios after ZeroLogon exploit

In recent months, the Tesorion CERT (T-CERT) identified an attacker that was able to execute commands, using an account with Domain Administator privileges, only three minutes after initial access. Further analysis identified exploitation of the ZeroLogon vulnerability (CVE-2020-1472).

We investigated three possible attack scenarios which an attacker could use after exploiting the ZeroLogon vulnerability. The T-CERT simulated each scenario to identify Indicators of Compromise which are related to these attack scenarios when carried out using the Mimikatz tool.

Brute force authentication of the ZeroLogon vulnerability

PCAP-weergave-authenticatie-brute-force-ZeroLogon-kwetsbaarheid

The above illustration shows the network traffic used to exploit the vulnerability. You can see a brute force of the authentication which we describe in detail in the white paper ZeroLogon: Exploit, Detect & Mitigate.

Allow us to introduce ourselves. We are Tesorion.

Tesorion is the largest, 100% Dutch, independent cybersecurity service provider. We combat cybercrime and minimize operational risks for businesses.
Tesorion protects your organization 24/7 thanks to our technology and 180 experts. Read more »

Available

180+

Experts

500

Customers

1000

Sensors

Protected Devices

100

European

Technology

Industries

Other

Locations

Locations

Three attack scenarios after ZeroLogon exploit

Brute force authentication of the ZeroLogon vulnerability

Categories

Other publications

Allow us to introduce ourselves. We are Tesorion.

Cyberincident?

+31 88 27 47 800

24 hours a day, 7 days a week

Leusden

Enschede

Direct to

Solutions

Technology

News

Industries

About

Other

Locations

Locations