The Zerologon exploiter exploits CVE-2020-1472.
An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC).
To download the relevant security update and read more, click here.
This exploiter is not safe for production or other sensitive environments. It is, therefore, not enabled by default.
During successful exploitation, the Zerologon exploiter:
While the Zerologon exploiter is usually successful in reverting its changes and restoring the original passwords, it sometimes fails. Restoring passwords manually after the Zerologon exploiter has run is nontrivial. For information on restoring the original passwords, see the section on manually restoring your passwords.
To minimize the risk posed by this exploiter, it is recommended that this exploiter be run only against VMs with a recent snapshot and only in testing or staging environments.
This exploiter attempts to restore the original passwords after exploitation. It is usually successful, but it sometimes fails. If this exploiter has changed a password but was unable to restore the original, you can try the following methods to restore the original password.
If the affected system is a virtual machine, the simplest way to restore it to a working state is to revert to a recent snapshot.
If you are unable to log in as the administrator, you can follow the instructions here to regain access to the system.
If you are able to login as the administrator, you can use the Reset-ComputerMachinePassword powershell command to restore the domain controller’s password.
If all other approaches fail, you can try the tools and steps found here.