Blog | Oct 06, 2020

Hands-on Threat Research Leads to Resilient Zerologon Detection

Even in the all-too-plentiful world of vulnerabilities and exploits, CVE-2020-1472 (aka Zerologon) is special, receiving a base criticality score of 10/10 under the Common Vulnerability Scoring System (CVSS).

eSentire was by no means the only security vendor pushing out alerts and advisories about Zerologon. Nor were we the only ones to claim to be able to detect an attack. However, to our knowledge, the behavioral Zerologon detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools. This is a subtle—but important—difference.

But before we dive into detections, let’s first quickly review why Zerologon is causing such a ruckus in cybersecurity circles.

From vulnerability to exploit

Without going too deep into the technical details, Zerologon allows an attacker who has already gained Initial Access to achieve Privilege Escalation, acquiring the ability to execute remote code, disable security features and change computer passwords in Active Directory (AD).

Zerologon was discovered by researchers at Secura and was announced on August 11 as part of the Microsoft August 2020 Security Updates patch. On September 11—after allowing a month for IT administrators to apply patches—Secura released technical details and a test tool. The technical details publication set the clock ticking, as it serves as a how-to guide for security researchers and would-be attackers.

True to expectations, just a few days later, proof of concept (PoC) exploit code was available, prompting eSentire to send, on September 14, a Threat Intelligence Advisory about CVE-2020-1472 in anticipation of seeing attacks in the wild in the very near future. By this point, customers of eSentire’s Managed Vulnerability Service (MVS) already had a local plug-in to quickly and easily determine if they were at risk. Owing to the significant risk associated with this vulnerability, on September 18 the Cybersecurity and Infrastructure Security Agency released a rare emergency directive requiring all US federal agencies to update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020.

Needless to say, such directives are reserved for only the most serious of situations.

Attacks become imminent

Finally (so far at least), on September 23 eSentire pushed out an updated advisory, spurred by three new developments:

  • The rising prevalence of PoC exploits, the rapid evolution of exploit code to increase effectiveness and the expectation that Zerologon exploits would soon be included in security tools
  • The CISA/DHS emergency directive
  • The availability of a Zerologon exploit detection capability within esLOG—which we had proactively pushed out to clients almost a week earlier

As noted in the introduction, eSentire’s Zerologon detection capability recognizes the exploit/attack itself, rather than just some associated behavior. To understand why the difference matters, it’s important to recognize that threat actors are constantly evolving their tools, techniques and procedures (TTPs)—and that this constant evolution is adept at finding weak points in cyber defenses.

Differentiated detection for evolving threats

Let’s say today’s generation of Zerologon attackers use a particular tool (say, mimikatz) to do something like this:

ATTACK à ACTION #1 or ACTION #2 or ACTION #3

The other detectors we have seen identify the use of a particular tool (i.e., mimikatz) and spot the follow-on actions, and use the correlation to imply use of Zerologon. That’s fine for stopping this combination of tool and actions, but what happens when attackers realize they’re being stopped? They’ll simply respond by changing tools and tactics to introduce ACTION #4, ACTION #5 and so on. The correlations will fail, the attacks will go undetected, and there’s a window of opportunity for attackers.

Instead of only identifying the actions (which, to be clear, we also do), eSentire’s detector identifies the actual exploit/attack itself. With our esLOG detector in place, it doesn’t matter if an attacker changes tools or quickly churns out new variations of the follow-on actions, because we still spot the original attack. There’s no game of catch-up—so our customers benefit from much more robust protection.

The importance of fist-hand, hands-on research

Analyzing logs isn’t unique to eSentire, so what enabled us to introduce a more powerful detection capability than other security providers?

The moment the technical details dropped, eSentire’s elite Threat Response Unit (TRU) went to work performing their own direct, applied research on CVS-2020-1472, to augment and extend beyond what was available in security forums and other OSINT resources. This deep hands-on exploration and experimentation helps us better understand the threats our customers face and can reveal unique insights and nuances that unlock more effective protection.

In this case, we discovered some aspects of Zerologon exploitation that we haven’t seen published elsewhere, and this insight is what allowed us to develop a uniquely powerful detection capability.

We’ve written elsewhere how important our people are to what we do at eSentire—and that’s because it’s true. Few security companies in the world can bring to bear the same number and caliber of security researchers as we can, and this collection of SOC analysts, threat hunters and security researchers are what allow us to consistently discover and contain even the most sophisticated threats.

It’s a differentiator we’re proud of and—more importantly—it’s one that makes a meaningful difference for our customers.

eSentire Threat Intel

eSentire Threat Intel

Threat Intelligence Research Group