Defender Fridays Wrap-Up: November 2024

Exploitation Walkthrough: ESC15/EKUwu with Justin Bollinger from TrustedSec

Justin Bollinger from TrustedSec discussed his discovery of ADCS ESC15 (CVE-2024-49019), also known as EKUwu, a vulnerability affecting version 1 certificate templates in Active Directory Certificate Services. The vulnerability, found in about 80% of tested environments, enables attackers to request certificates with arbitrary properties and potentially impersonate administrators. Bollinger emphasized that organizations can mitigate the vulnerability by cloning affected version 1 templates to version 2. He recommended implementing ADCS honeypots for detection given that 75% of their observed Domain Admin compromises involve ADCS-related attacks.

Links:

• EKUwu: Not just another AD CS ESC blog

• Abusing Active Directory Certificate Services pdf

• Justin's GitHub

• Jake's GitHub

• Certiception GitHub

Exploring Browser Extensions with John Tuckner of Secure Annex

John Tuckner of Secure Annex joined Defender Fridays to discuss the security risks of browser extensions, demonstrating how they can capture screenshots, steal authentication cookies, and bypass security controls like passkeys. Tuckner introduced Secure Annex, a new tool that analyzes Chrome extensions to provide visibility into their code, behavior and potential risks. He highlighted how malicious actors, including North Korea, have used browser extensions to target researchers, and discussed how legitimate extensions can be bought from developers for malicious purposes.

SOC it to 'Em: Shifting from Reactivity to Proactivity in Sec Ops with Jessica Hebenstreit from IANS

Jessica Hebenstreit, Faculty Member at IANS, participated in Defender Fridays to discuss transitioning from reactive to proactive security operations. She emphasized that proactive security requires business buy-in and investment, proper metrics beyond "vanity metrics," and strategic cyber threat intelligence focused on understanding adversary TTPs rather than just IoCs. Hebenstreit also discussed how AI can assist with tasks like beacon detection and pattern analysis, while noting that successful transition requires both proper planning and addressing alert fatigue through improved detection engineering.

Links:

• CMMI Levels of Capability and Performance

• Tracecat GitHub

• Canary Tokens

• AC-Hunter Community Edition

• Windows Commands Abused by Attackers blog

Scoping Telemetry for Defender Needs with Jonathan Johnson of Huntress

Jonathan Johnson was our weekly Defender Fridays speaker, discussing how to prioritize security telemetry collection. He emphasized focusing on four key MITRE ATT&CK tactics - credential access, privilege escalation, persistence, and lateral movement - as these drive most attacks, including ransomware. Johnson differentiated between primary telemetry sources needed for detection and secondary sources that provide context, using LSASS dumping detection as an example of evolving telemetry capabilities. He recommended organizations use two detection pipelines - one for production and another for testing new telemetry - and emphasized regularly reviewing available data sources as Windows adds new logging capabilities.

Links:

• Authentication Bypass in the Management Web Interface

• https://www.lares.com/blog/hunting-in-the-sysmon-call-trace/

• Sysmon Community Guide GitHub

• Matt's GitHub