SIEM Content Packages For CVE-2020-1350 – SigRed By Cyray
“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” (Check Point)
To successfully exploit the vulnerability, researchers used DNS name compression in DNS response to increasing the size of the allocation by a large amount.
In July 2020, Microsoft released patches for the vulnerability.
We strongly recommend users to patch their Windows DNS Servers in order to prevent the exploitation of this vulnerability.
Link to the MSRC library for downloading the KB:
Our packages are available on the following links.
We are regularly updating the package with new resources to enrich the SIEM detection methods for this attack.
Download from GitHub:
Or download from this site:
Collection for any on these event types:
- DNS Debug Log
- Firewall Logs – Bytes-in value is needed
- DNS Debug Log
ArcSight Package Overview:
We’ve created an ArcSight package that detects suspicious DNS requests over the FW and the DNS debug log.
The Package recognizes large DNS response packets over TCP protocol.
QRadar Package Overview:
Action: Dispatch New Event
Important – These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.
You are welcome to contact us for any further details.
Emily Dubnik – email@example.com
Yarin Zaddik – firstname.lastname@example.org
Maayan Shlomo – email@example.com
Michael Vashinsky – firstname.lastname@example.org