Kevin Borgolte

Onelogon: Taking over Active Directory Accounts via Netlogon

PDF Paper

Authors

Alexander Neff, Tobias Holl, Kevin Borgolte

Publication

Proceedings of the 20th USENIX WOOT Conference on Offensive Technologies (WOOT), August 2026

Abstract

Microsoft’s Active Directory (AD) is a critical component of the IT infrastructure of numerous enterprises. Thus, security vulnerabilities in AD can have dire consequences for the security posture of an organization’s IT infrastructure. At the core of the AD architecture is the Netlogon Remote Protocol, which is used to manage computer accounts, delegate authentication requests, and various other management tasks.

In 2020, Tervoort identified Zerologon, a critical vulnerability in Netlogon, which allowed attackers to fully compromise an AD management domain. In turn, Microsoft released two patches: one aiming to rectify the cryptographic vulnerability that enabled the attack, and the second one to ensure that all Netlogon communication is signed and sealed.

In this paper, we analyze these patches and show that they are insufficient to mitigate the underlying vulnerabilities. We show that the cryptographic patch can be bypassed by an unprivileged attacker within the AD domain. We introduce the Onelogon attack with two distinct variants for varying attacker capabilities, both of which allow an attacker to take over a vulnerable AD account in approximately 30 minutes. If this AD account belongs to a Domain Controller, an attacker can leverage Onelogon to fully compromise the AD domain.

With the goal of mitigating the attacks, we identified their underlying root cause: the incorrect use of AES-CFB8 encryption. Both the earlier Zerologon attack and our new attack exploit how Netlogon incorrectly uses AES-CFB8. Finally, we provide and compare various mitigation and detection approaches for Microsoft and AD operators to prevent account takeover attacks and authentication bypasses in the short term and fundamentally. Unfortunately, addressing the underlying root cause requires a backward-incompatible change to Netlogon: reimplementing AES-CFB8 correctly.

We disclosed this issue to Microsoft and CERT-Bund, but do not expect any fixes to be forthcoming. In the meantime, we advise users to apply the mitigation and detection strategies outlined in this paper.

BibTeX

@inproceedings{woot2026-onelogon,
  title     = {{Onelogon: Taking over Active Directory Accounts via Netlogon}},
  author    = {Neff, Alexander and Holl, Tobias and Borgolte, Kevin},
  booktitle = {Proceedings of the 20th USENIX WOOT Conference on Offensive Technologies (WOOT)},
  code      = {https://github.com/rub-softsec/onelogon},
  date      = {2026-08},
  editor    = {Bianchi, Antonio and Classen, Jiska},
  location  = {Baltimore, MD, USA},
  publisher = {USENIX Association}
}