Onelogon — Netlogon Vulnerable Channel Bypass
1. Summary A publicly disclosed technique, referred to as “Onelogon”, demonstrates a bypass of the Zerologon (CVE-2020-1472) remediation on Active Directory Domain Controllers. The bypass does not target a new flaw in the Netlogon Remote Protocol (MS-NRPC) itself — it targets legacy compatibility exceptions that administrators may have left enabled after the original Zerologon patch cycle (August 2020 – February 2021). Where these exceptions are present and misconfigured, an attacker can re-establish an unauthenticated or weakly authenticated Netlogon secure channel, impersonate a computer account, and in some documented cases escalate to full domain compromise (credential dumping via DCSync-style replication, extraction of NTDS.dit). ...