So yes, Zerologon (CVE-2020-1472) is quite easy to exploit. Unauthenticated user to Domain Admin. This is really scary. Run exploit, DCSync with DC account and empty NT hash: you have Domain Admin and a broken DC.
Awesome find by Tom Tervoort 🙂. Patch patch patch! pic.twitter.com/XHRO7n50Qh
— Dirk-jan (@_dirkjan) September 14, 2020
a bruteforce of netlogon activity is not triggering a simgle event in this log :D, added example of netlogon logs in the EVTX repo for CVE-2020-1472 (ZeroLogon)https://t.co/E06FFC5dmehttps://t.co/C6nbXxMsc1 pic.twitter.com/AkpW3DmbeF
— Samir (@SBousseaden) September 12, 2020