CVE-2020-1350 – SigRed – Monitoring By SIEM

SIEM Content Packages For CVE-2020-1350 – SigRed By Cyray

“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” (Check Point)

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

 

To successfully exploit the vulnerability, researchers used DNS name compression in DNS response to increasing the size of the allocation by a large amount.

image

Recommendations:

In July 2020, Microsoft released patches for the vulnerability.

We strongly recommend users to patch their Windows DNS Servers in order to prevent the exploitation of this vulnerability.

Link to the MSRC library for downloading the KB:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

 

Download:

Our packages are available on the following links.

We are regularly updating the package with new resources to enrich the SIEM detection methods for this attack.

Download from GitHub:

https://github.com/cybersiem/CyberSIEM-IR/tree/master/CVE-2020-1350_SigRed

 

Or download from this site:

ArcSight:

https://www.cybersiem.com/download/sigred-arcsight

Requirements:

Collection for any on these event types:

  • DNS Debug Log
  • Firewall Logs – Bytes-in value is needed

 

QRadar:

https://www.cybersiem.com/download/sigred-qradar

Requirements:

  • DNS Debug Log

 

ArcSight Package Overview:

We’ve created an ArcSight package that detects suspicious DNS requests over the FW and the DNS debug log.

The Package recognizes large DNS response packets over TCP protocol.

 

 

QRadar Package Overview:

Rule:

Action: Dispatch New Event

 

Search:

 

 

Custom Properties:

 

 


Important These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.


 

Emily Dubnik – emily@cyray.com

Yarin Zaddik – yarin@cyray.com

Maayan Shlomo – maayan@cyray.com

Michael Vashinsky – michaelv@cyray.com

 

 

 

 marat
Author
marat
Share This Story, Choose Your Platform