Detection: Detect Windows DNS SIGRed via Splunk Stream

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Description

The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.

 1`stream_dns` 
 2| spath "query_type{}" 
 3| search "query_type{}" IN (SIG,KEY) 
 4| spath protocol_stack 
 5| search protocol_stack="ip:tcp:dns" 
 6| append [search `stream_tcp` bytes_out>65000] 
 7| `detect_windows_dns_sigred_via_splunk_stream_filter` 
 8| stats count by flow_id 
 9| where count>1 
10| fields - count

Data Source

Name Platform Sourcetype Source Supported App
N/A N/A N/A N/A N/A

Macros Used

Name Value
stream_dns sourcetype=stream:dns
detect_windows_dns_sigred_via_splunk_stream_filter search *
detect_windows_dns_sigred_via_splunk_stream_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1203 Exploitation for Client Execution Execution
KillChainPhase.INSTALLATION
NistCategory.DE_CM
Cis18Value.CIS_13
APT12
APT28
APT29
APT3
APT32
APT33
APT37
APT41
Andariel
Aoqin Dragon
Axiom
BITTER
BRONZE BUTLER
BlackTech
Cobalt Group
Confucius
Darkhotel
Dragonfly
EXOTIC LILY
Elderwood
Ember Bear
Higaisa
Inception
Lazarus Group
Leviathan
MuddyWater
Mustang Panda
Patchwork
Sandworm Team
Sidewinder
TA459
The White Company
Threat Group-3390
Tonto Team
Transparent Tribe
Tropic Trooper
admin@338

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Notable Yes
Rule Title %name%
Rule Description %description%
Notable Event Fields user, dest
Creates Risk Event True
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.

Implementation

You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.

Known False Positives

unknown

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
tbd 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Not Applicable N/A N/A N/A
Unit ❌ Failing N/A N/A N/A
Integration ❌ Failing N/A N/A N/A

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 3