What We Do
How we do it
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Blog — Oct 06, 2020

Hands-on Threat Research Leads to Resilient Zerologon Detection

4 minutes read
Speak With A Security Expert Now

Even in the all-too-plentiful world of vulnerabilities and exploits, CVE-2020-1472 (aka Zerologon) is special, receiving a base criticality score of 10/10 under the Common Vulnerability Scoring System (CVSS).

eSentire was by no means the only security vendor pushing out alerts and advisories about Zerologon. Nor were we the only ones to claim to be able to detect an attack. However, to our knowledge, the behavioral Zerologon detection capability we implemented in esLOG was the first detector to recognize the exploit/attack itself, rather than either the aftermath or the tools. This is a subtle—but important—difference.

But before we dive into detections, let’s first quickly review why Zerologon is causing such a ruckus in cybersecurity circles.

From vulnerability to exploit

Without going too deep into the technical details, Zerologon allows an attacker who has already gained Initial Access to achieve Privilege Escalation, acquiring the ability to execute remote code, disable security features and change computer passwords in Active Directory (AD).

Zerologon was discovered by researchers at Secura and was announced on August 11 as part of the Microsoft August 2020 Security Updates patch. On September 11—after allowing a month for IT administrators to apply patches—Secura released technical details and a test tool. The technical details publication set the clock ticking, as it serves as a how-to guide for security researchers and would-be attackers.

True to expectations, just a few days later, proof of concept (PoC) exploit code was available, prompting eSentire to send, on September 14, a Threat Intelligence Advisory about CVE-2020-1472 in anticipation of seeing attacks in the wild in the very near future. By this point, customers of eSentire’s Managed Vulnerability Service (MVS) already had a local plug-in to quickly and easily determine if they were at risk. Owing to the significant risk associated with this vulnerability, on September 18 the Cybersecurity and Infrastructure Security Agency released a rare emergency directive requiring all US federal agencies to update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020.

Needless to say, such directives are reserved for only the most serious of situations.

Attacks become imminent

Finally (so far at least), on September 23 eSentire pushed out an updated advisory, spurred by three new developments:

As noted in the introduction, eSentire’s Zerologon detection capability recognizes the exploit/attack itself, rather than just some associated behavior. To understand why the difference matters, it’s important to recognize that threat actors are constantly evolving their tools, techniques and procedures (TTPs)—and that this constant evolution is adept at finding weak points in cyber defenses.

Differentiated detection for evolving threats

Let’s say today’s generation of Zerologon attackers use a particular tool (say, mimikatz) to do something like this:


The other detectors we have seen identify the use of a particular tool (i.e., mimikatz) and spot the follow-on actions, and use the correlation to imply use of Zerologon. That’s fine for stopping this combination of tool and actions, but what happens when attackers realize they’re being stopped? They’ll simply respond by changing tools and tactics to introduce ACTION #4, ACTION #5 and so on. The correlations will fail, the attacks will go undetected, and there’s a window of opportunity for attackers.

Instead of only identifying the actions (which, to be clear, we also do), eSentire’s detector identifies the actual exploit/attack itself. With our esLOG detector in place, it doesn’t matter if an attacker changes tools or quickly churns out new variations of the follow-on actions, because we still spot the original attack. There’s no game of catch-up—so our customers benefit from much more robust protection.

The importance of fist-hand, hands-on research

Analyzing logs isn’t unique to eSentire, so what enabled us to introduce a more powerful detection capability than other security providers?

The moment the technical details dropped, eSentire’s elite Threat Response Unit (TRU) went to work performing their own direct, applied research on CVS-2020-1472, to augment and extend beyond what was available in security forums and other OSINT resources. This deep hands-on exploration and experimentation helps us better understand the threats our customers face and can reveal unique insights and nuances that unlock more effective protection.

In this case, we discovered some aspects of Zerologon exploitation that we haven’t seen published elsewhere, and this insight is what allowed us to develop a uniquely powerful detection capability.

We’ve written elsewhere how important our people are to what we do at eSentire—and that’s because it’s true. Few security companies in the world can bring to bear the same number and caliber of security researchers as we can, and this collection of SOC analysts, threat hunters and security researchers are what allow us to consistently discover and contain even the most sophisticated threats.

It’s a differentiator we’re proud of and—more importantly—it’s one that makes a meaningful difference for our customers.

View Most Recent Blogs
eSentire Threat Response Unit (TRU)
eSentire Threat Response Unit (TRU)

Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our Atlas XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.