Get Group Policy Preferences - Empire Module

This page contains detailed information about how to use the powershell/privesc/zerologon Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Get Group Policy Preferences
Module: powershell/privesc/zerologon
Source code [1]: empire/server/modules/powershell/privesc/zerologon.yaml
Source code [2]: empire/server/data/module_source/privesc/Invoke-ZeroLogon.ps1
MITRE ATT&CK: T1548
Language: PowerShell
Needs admin: No
OPSEC safe: No
Background: No

CVE-2020-1472 or ZeroLogon exploits a flaw in the Netlogon protocol to allow anyone on the network to reset the domain administrators hash and elevate their privileges. This will change the password of the domain controller account and may break communication with other domain controllers. So, be careful!.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the zerologon module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the zerologon module:

Agent
Agent to run on.

fqdn
Fully Qualified Domain Name.

Additional Module Options

---

This is a list of additional options that are supported by the zerologon module:

Reset
Reset target computers password to the default NTLM hash.
Default value: False.

Zerologon Example Usage

---

Here's an example of how to use the zerologon module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/privesc/zerologon

 Author       @hubbl3                                                                
              @Cx01N                                                                 
 Background   False                                                                  
 Comments     https://github.com/BC-SECURITY/Invoke-ZeroLogon                        
 Description  CVE-2020-1472 or ZeroLogon exploits a flaw in the Netlogon protocol to 
              allow anyone on the network to reset the domain administrators hash    
              and elevate their privileges. This will change the password of the     
              domain controller account and may break communication with other       
              domain controllers. So, be careful!                                    
 Language     powershell                                                             
 Name         powershell/privesc/zerologon                                           
 NeedsAdmin   False                                                                  
 OpsecSafe    False                                                                  
 Techniques   http://attack.mitre.org/techniques/T1548                               


,Record Options-,----------,------------------------------------,
| Name  | Value | Required | Description                        |
|-------|-------|----------|------------------------------------|
| Agent |       | True     | Agent to run on.                   |
|-------|-------|----------|------------------------------------|
| Reset | False | False    | Reset target computers password to |
|       |       |          | the default NTLM hash              |
|-------|-------|----------|------------------------------------|
| fqdn  |       | True     | Fully Qualified Domain Name        |
'-------'-------'----------'------------------------------------'

(Empire: usemodule/powershell/privesc/zerologon) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/privesc/zerologon) > set fqdn value
[*] Set fqdn to value
(Empire: usemodule/powershell/privesc/zerologon) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Authors

---

• @hubbl3
• @Cx01N

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/privesc/zerologon.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/privesc/Invoke-ZeroLogon.ps1
• https://github.com/BC-SECURITY/Invoke-ZeroLogon
• http://attack.mitre.org/techniques/T1548
• https://github.com/nccgroup/nccfsas/tree/main/Tools/SharpZeroLogon
• https://www.secura.com/blog/zero-logon

See Also

---

Check also the following modules related to this module:

• powershell/privesc/bypassuac
• powershell/privesc/bypassuac_env
• powershell/privesc/bypassuac_tokenmanipulation
• powershell/privesc/winPEAS
• powershell/privesc/sweetpotato
• powershell/privesc/tater
• powershell/privesc/ms16-135
• powershell/privesc/ask
• powershell/privesc/bypassuac_wscript
• powershell/privesc/mcafee_sitelist
• powershell/privesc/privesccheck
• powershell/privesc/sherlock
• powershell/privesc/ms16-032
• powershell/privesc/bypassuac_eventvwr
• powershell/privesc/printdemon
• powershell/privesc/getsystem
• powershell/privesc/gpp
• powershell/privesc/bypassuac_sdctlbypass
• powershell/privesc/watson
• powershell/privesc/bypassuac_fodhelper
• powershell/privesc/printnightmare
• powershell/privesc/powerup/service_exe_useradd
• powershell/privesc/powerup/write_dllhijacker
• powershell/privesc/powerup/service_stager
• powershell/privesc/powerup/service_exe_restore
• powershell/privesc/powerup/service_exe_stager
• powershell/privesc/powerup/find_dllhijack
• powershell/privesc/powerup/service_useradd
• powershell/privesc/powerup/allchecks

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.