Name:Detect Windows DNS SIGRed via Zeek id:c5c622e4-d073-11ea-87d0-0242ac130003 version:5 date:2024-10-17 author:Shannon Davis, Splunk status:experimental type:TTP Description:The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial. Data_source:
search:| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count
how_to_implement:You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format. We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json. The Network Resolution and Network Traffic datamodels are in use for this search. known_false_positives:unknown References: drilldown_searches:
: tags: analytic_story: - 'Windows DNS SIGRed CVE-2020-1350' asset_type:Endpoint confidence:50 cve: - 'CVE-2020-1350' impact:50 message:tbd mitre_attack_id: - 'T1203' observable: name:'flow_id' type:'Other' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'DNS.query_type' - 'DNS.flow_id' - 'All_Traffic.bytes_in' - 'All_Traffic.flow_id' risk_score:25 security_domain:endpoint
