��c Internal testing<?xml version="1.0" encoding="UTF-8"?><node><rich_text>-Widespread exploitation of CVE-2020-1472 in the wild-Server team unaware of the effects of immediately patching DCs in CORP, DEV, ADMIN, CLIENT - concerns with rushing an unknown patch-Todd sent this article around: </rich_text><rich_text link="webs https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/">https://www.lares.com/blog/from-lares-labs-defensive-guidance-for-zerologon-cve-2020-1472/</rich_text><rich_text>- Attack generates event code 5805, 4624, and 4742. Is responding to one of these events enough to prevent exploitation while we further test the patch?- What effects will running this have to combat successful exploitation? </rich_text><rich_text link="webs https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1">https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/reset-computermachinepassword?view=powershell-5.1</rich_text><rich_text> -Mitigation </rich_text><rich_text style="italic">seems</rich_text><rich_text> to work for now-Installed patch on SRV01-Higher ups decided to push an emergency patch to all 4 DCs...-Need to decommission domain before the auditors come in </rich_text></node>