Detecting ZeroLogon Exploits with AI and No Signatures

September 22, 2020
Stephen Malone
Senior Product Manager
Detecting ZeroLogon Exploits with AI and No Signatures

Fast moving critical vulnerabilities or zero-days expose the weaknesses of legacy cybersecurity products that rely on signatures to match threats. Signatures are useful for providing continued protection against known and historic threats, but can't do much for new threats until the vulnerability is found by security researchers and a new signature is created. Exploitable vulnerabilities can exist for years before they are found by security research, leaving you exposed and vulnerable. For a vulnerability such as ZeroLogon, given the power and speed of the exploit, any delay in protection could see the end of your business.

Vectra however has a fundamentally different approach to cybersecurity. Vectra's sophisticated attacker behavior AI/ML models are designed to detect attack behavior regardless of the specific tools or signatures used in the attack. As such, Vectra AI customers have substantial detection capabilities for attack campaigns that might leverage this new vulnerability—even before the vulnerability was announced.

It has been a busy time for these legacy cybersecurity products as they scramble to create signatures, and give their customers some level of protection against this exploit. Those new signatures will help of course, but for some they will come too late, and it's only a matter of time before the exploits change slightly to circumvent these protections. In the recent days we have seen many of our competitors (ExtraHop, CoreLight & Awake for example) scrambling to release new ZeroLogon signatures after the vulnerability disclosure. What about before that? Was there any coverage? Are we to believe that vulnerabilities are only exploitable when disclosed by security research?

Vectra AI/ML Models for ZeroLogon Detection

To successfully use this exploit, the attacker needs to be on the local network. For external attackers, Detect would see command and control (C&C) from the compromised host in the form of External Remote Access, Hidden HTTP/HTTPS/DNS Tunnel, or Suspicious Relay. After exploiting the vulnerability (whether an external or internal attacker) we would likely see DCSync which is covered by RPC Targeted Recon. Once the attacker gained admin access, our sophisticated privileged access analytics (PAA) detections cover the usage of this new access. Other models like Suspicious Admin, Suspicious Remote Execution, and Suspicious Remote Desktop also provide coverage on lateral movement. RDP Recon and RPC Recon could be expected as external attackers find their way around the network.

Cognito Detect protects against your business from emerging, zero-day and fast-moving threats by focusing on the things that don't change, i.e. attacker behavior, rather than signatures that are reactive and easily bypassed.

Enhanced ZeroLogon Detection with the Vectra AI Platform

Detect's focus on finding attack behavior is a truly durable mechanism to find attackers. The Vectra AI Platform supplement our advanced detection capabilities enabling deeper investigations & threat hunting. For the ZeroLogon vulnerability, we have published a new Recall dashboard (NetLogon Exploit Dashboard) to give you more visibility into attempts to leverage this vulnerability within your network.

Sample Dashboard in the Vectra AI Platform tracking potential cases of ZeroLogon

Understanding ZeroLogon Vulnerability

A maximum severity CVE (ZeroLogon - CVE-2020-1472 - CVSS 10) was recently reported which enables an attacker to gain the master key to your network, Domain Admin credentials, incredibly quickly and easily without requiring any kind of privilege beyond the ability to emit traffic to your network. This vulnerability is caused by a fault in how Windows Server OS handles the NetLogon RPC protocol which enables the attacker to forge their identity in a password reset event and reset any password including those of Domain Controller machine accounts.

Microsoft has since patched vulnerable versions of Windows Server; everyone is encouraged to apply these patches as soon as possible. Further information on the vulnerability can be found here and information from Microsoft on impacted versions and patch information can be found here.

If you’re ready to change your approach to detecting and responding to cyberattacks, and to get a closer look at how Recall can find attacker tools and exploits, schedule a demo with Vectra today.

FAQs

What is ZeroLogon?

ZeroLogon (CVE-2020-1472) is a critical vulnerability in Windows Netlogon that allows attackers to gain admin access.

What makes ZeroLogon particularly dangerous?

ZeroLogon is dangerous due to its ability to allow attackers to gain domain admin credentials without authentication.

What are the benefits of using AI for ZeroLogon detection?

AI provides proactive detection, faster response times, and the ability to identify new and evolving threats without signatures.

How does ZeroLogon exploit Windows Server?

ZeroLogon exploits a flaw in the Netlogon protocol, allowing attackers to forge authentication and reset passwords.

How does Vectra AI support ZeroLogon detection?

Vectra AI supports detection by providing continuous monitoring and analysis of network traffic data.

How does Vectra AI detect ZeroLogon exploits?

Vectra AI uses machine learning models to detect abnormal behaviors and network activity indicative of ZeroLogon exploits.

How can organizations protect against ZeroLogon?

Organizations should apply patches, monitor for unusual activity, and use advanced detection tools like Vectra AI.

How does Vectra Recall enhance threat detection?

Vectra Recall enables deeper investigation and threat hunting by providing detailed visibility into network traffic and anomalies.

How does ZeroLogon exploit Windows Server?

Signature-less detection is significant because it can identify threats based on behavior, not relying on predefined signatures.

What steps should be taken after detecting a ZeroLogon exploit?

After detection, isolate affected systems, apply patches, change passwords, and conduct a thorough investigation to prevent further exploits.