Windows DNS server vulnerability (CVE-2020-1350) rules (#69)
This commit is contained in:
Justin Ibarra
@@ -238,7 +238,12 @@ class Rule(object):
|
||||
tactic = schema_prompt('mitre tactic name', type='string', enum=TACTICS, required=True)
|
||||
technique_ids = schema_prompt(f'technique IDs for {tactic}', type='array', required=True,
|
||||
enum=list(technique_lookup))
|
||||
threat_map.append(build_threat_map_entry(tactic, *technique_ids))
|
||||
|
||||
try:
|
||||
threat_map.append(build_threat_map_entry(tactic, *technique_ids))
|
||||
except KeyError as e:
|
||||
click.secho(f'Unknown ID: {e.args[0]}')
|
||||
continue
|
||||
|
||||
if len(threat_map) > 0:
|
||||
contents[name] = threat_map
|
||||
|
||||
@@ -0,0 +1,59 @@
|
||||
[metadata]
|
||||
creation_date = "2020/07/16"
|
||||
ecs_version = ["1.5.0"]
|
||||
maturity = "production"
|
||||
updated_date = "2020/07/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which
|
||||
may indicate activity related to remote code execution or other forms of exploitation.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low
|
||||
occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe
|
||||
to spawn.
|
||||
""",
|
||||
]
|
||||
index = ["winlogbeat-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Unusual Child Process of dns.exe"
|
||||
note = """### Investigating Unusual Child Process
|
||||
Detection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
|
||||
- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).
|
||||
- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.
|
||||
- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.
|
||||
- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint."""
|
||||
references = [
|
||||
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
|
||||
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
|
||||
"https://github.com/maxpl0it/CVE-2020-1350-DoS",
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Windows"]
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.category:process and event.type:start and
|
||||
process.parent.name:dns.exe and
|
||||
not process.name:conhost.exe
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1133"
|
||||
name = "External Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1133/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
@@ -0,0 +1,48 @@
|
||||
[metadata]
|
||||
creation_date = "2020/07/16"
|
||||
ecs_version = ["1.5.0"]
|
||||
maturity = "production"
|
||||
updated_date = "2020/07/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which
|
||||
may indicate activity related to remote code execution or other forms of exploitation.
|
||||
"""
|
||||
index = ["winlogbeat-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Unusual File Modification by dns.exe"
|
||||
note = """### Investigating Unusual File Write
|
||||
Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
|
||||
- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.
|
||||
- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care."""
|
||||
references = [
|
||||
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
|
||||
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
|
||||
]
|
||||
risk_score = 73
|
||||
rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
|
||||
severity = "high"
|
||||
tags = ["Elastic", "Windows"]
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.category:file and process.name:dns.exe and
|
||||
not file.name:dns.log
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1133"
|
||||
name = "External Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1133/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
@@ -0,0 +1,58 @@
|
||||
[metadata]
|
||||
creation_date = "2020/07/16"
|
||||
ecs_version = ["1.5.0"]
|
||||
maturity = "production"
|
||||
updated_date = "2020/07/16"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in
|
||||
Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
|
||||
"""
|
||||
false_positives = [
|
||||
"""
|
||||
Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is
|
||||
predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an
|
||||
authorized vulnerability scan or compromise assessment.
|
||||
""",
|
||||
]
|
||||
index = ["packetbeat-*", "filebeat-*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License"
|
||||
name = "Abnormally Large DNS Request"
|
||||
note = """### Investigating Large DNS Responses
|
||||
Detection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:
|
||||
- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.
|
||||
- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
|
||||
- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
|
||||
- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment."""
|
||||
references = [
|
||||
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
|
||||
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
|
||||
"https://github.com/maxpl0it/CVE-2020-1350-DoS",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "11013227-0301-4a8c-b150-4db924484475"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Network", "Windows"]
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.category:(network or network_traffic) and destination.port:53 and
|
||||
(event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
[[rule.threat.technique]]
|
||||
id = "T1210"
|
||||
name = "Exploitation of Remote Services"
|
||||
reference = "https://attack.mitre.org/techniques/T1210/"
|
||||
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0008"
|
||||
name = "Lateral Movement"
|
||||
reference = "https://attack.mitre.org/tactics/TA0008/"
|
||||
Reference in New Issue
Block a user