CVE-2020-1350 – SigRed – Monitoring By SIEM

SIEM Content Packages For CVE-2020-1350 – SigRed By Cyray

“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” (Check Point)

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

 

To successfully exploit the vulnerability, researchers used DNS name compression in DNS response to increasing the size of the allocation by a large amount.

image

Recommendations:

In July 2020, Microsoft released patches for the vulnerability.

We strongly recommend users to patch their Windows DNS Servers in order to prevent the exploitation of this vulnerability.

Link to the MSRC library for downloading the KB:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

 

Download:

Our packages are available on the following links.

We are regularly updating the package with new resources to enrich the SIEM detection methods for this attack.

Download from GitHub:

https://github.com/cybersiem/CyberSIEM-IR/tree/master/CVE-2020-1350_SigRed

 

Or download from this site:

ArcSight:

https://www.cybersiem.com/download/sigred-arcsight

Requirements:

Collection for any on these event types:

  • DNS Debug Log
  • Firewall Logs – Bytes-in value is needed

 

QRadar:

https://www.cybersiem.com/download/sigred-qradar

Requirements:

  • DNS Debug Log

 

ArcSight Package Overview:

We’ve created an ArcSight package that detects suspicious DNS requests over the FW and the DNS debug log.

The Package recognizes large DNS response packets over TCP protocol.

 

 

QRadar Package Overview:

Rule:

Action: Dispatch New Event

 

Search:

 

 

Custom Properties:

 

 

Important These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.

 

Emily Dubnik – [email protected]

Yarin Zaddik – [email protected]

Maayan Shlomo – [email protected]

Michael Vashinsky – [email protected]

 

 

 

idoh
Author
idoh
Share This Story, Choose Your Platform
You Might Also Like
“It’s good to be the king” – is that so?
Best practices
“It’s good to be the king” – is that so?
How to use a grid field In this post, our SOAR expert, Mr.Ben Aviv, will demonstrate how to use a grid field in XSOAR (Demisto).
3
242
0
How to use a Grid Field​
SOAR
How to use a Grid Field​
How to use a grid field In this post, our SOAR expert, Mr.Ben Aviv, will demonstrate how to use a grid field in XSOAR (Demisto).
3
439
0
Remote Code Execution Vulnerability CVE-2021-40444
SIEM system
Remote Code Execution Vulnerability CVE-2021-40444
About CVE-2021-40444 Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows.
2
540
0

Time to market

One-day SIEM integration

Learn more