Try in Splunk Security Cloud

Description

Uncover activity consistent with CVE-2020-1350, or SIGRed. Discovered by Checkpoint researchers, this vulnerability affects Windows 2003 to 2019, and is triggered by a malicious DNS response (only affects DNS over TCP). An attacker can use the malicious payload to cause a buffer overflow on the vulnerable system, leading to compromise. The included searches in this Analytic Story are designed to identify the large response payload for SIG and KEY DNS records which can be used for the exploit.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Network_Resolution, Network_Traffic
  • Last Updated: 2020-07-28
  • Author: Shannon Davis, Splunk
  • ID: 36dbb206-d073-11ea-87d0-0242ac130003

Narrative

When a client requests a DNS record for a particular domain, that request gets routed first through the client’s locally configured DNS server, then to any DNS server(s) configured as forwarders, and then onto the target domain’s own DNS server(s). If a attacker wanted to, they could host a malicious DNS server that responds to the initial request with a specially crafted large response (~65KB). This response would flow through to the client’s local DNS server, which if not patched for CVE-2020-1350, would cause the buffer overflow. The detection searches in this Analytic Story use wire data to detect the malicious behavior. Searches for Splunk Stream and Zeek are included. The Splunk Stream search correlates across stream:dns and stream:tcp, while the Zeek search correlates across bro:dns:json and bro:conn:json. These correlations are required to pick up both the DNS record types (SIG and KEY) along with the payload size (>65KB).

Detections

Name Technique Type
Detect Windows DNS SIGRed via Splunk Stream Exploitation for Client Execution TTP
Detect Windows DNS SIGRed via Zeek Exploitation for Client Execution TTP

Reference

source | version: 1