Name:Detect Windows DNS SIGRed via Splunk Stream id:babd8d10-d073-11ea-87d0-0242ac130003 version:4 date:2024-10-17 author:Shannon Davis, Splunk status:experimental type:TTP Description:The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks. Data_source:
how_to_implement:You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment. known_false_positives:unknown References: drilldown_searches:
: tags: analytic_story: - 'Windows DNS SIGRed CVE-2020-1350' asset_type:Endpoint confidence:50 cve: - 'CVE-2020-1350' impact:50 message:tbd mitre_attack_id: - 'T1203' observable: name:'flow_id' type:'Other' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' risk_score:25 security_domain:network
