Terrance DeJesus
b8ae2218f8
* add beats compatability to NPC rules * added filebeat compatibility to 'Accepted Default Telnet Port Connection' * added filebeat compatibility to 'Cobalt Strike Command and Control Beacon' * added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate' * added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet' * added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior' * added filebeat compatibility to 'Halfbaked Command and Control Beacon' * added filebeat compatibility to 'IPSEC NAT Traversal Port Activity' * added filebeat compatibility to 'SMTP on Port 26/TCP' * added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet' * added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet' * added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet' * added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet' * added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet' * added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet' * removed extra space in query * added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node' * added filebeat compatibility to 'Abnormally Large DNS Response' * fixed missing ending parenthesis * added auditbeat to compatible rules * addressed feedback * removed filebeat and auditbeat due to incompatibility * Update rules/network/command_and_control_cobalt_strike_beacon.toml * Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
95 lines
5.2 KiB
TOML
95 lines
5.2 KiB
TOML
[metadata]
|
||
creation_date = "2020/07/16"
|
||
integration = ["network_traffic"]
|
||
maturity = "production"
|
||
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
||
min_stack_version = "8.3.0"
|
||
updated_date = "2023/08/01"
|
||
|
||
[rule]
|
||
author = ["Elastic"]
|
||
description = """
|
||
Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in
|
||
Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
|
||
"""
|
||
false_positives = [
|
||
"""
|
||
Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is
|
||
predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an
|
||
authorized vulnerability scan or compromise assessment.
|
||
""",
|
||
]
|
||
index = ["packetbeat-*", "filebeat-*", "logs-network_traffic.*"]
|
||
language = "kuery"
|
||
license = "Elastic License v2"
|
||
name = "Abnormally Large DNS Response"
|
||
note = """## Triage and analysis
|
||
|
||
### Investigating Abnormally Large DNS Response
|
||
|
||
Detection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as [SigRed](https://www.elastic.co/blog/detection-rules-for-sigred-vulnerability) during July 2020.
|
||
|
||
#### Possible investigation steps
|
||
|
||
- This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.
|
||
- Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.
|
||
- Further examination can include a review of the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
|
||
- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.
|
||
- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.
|
||
|
||
#### False positive analysis
|
||
|
||
- Based on this rule, which looks for a threshold of 60k bytes, it is possible for activity to be generated under 65k bytes and related to legitimate behavior. In packet capture files received by the [SANS Internet Storm Center](https://isc.sans.edu/forums/diary/PATCH+NOW+SIGRed+CVE20201350+Microsoft+DNS+Server+Vulnerability/26356/), byte responses were all observed as greater than 65k bytes.
|
||
- This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.
|
||
|
||
### Related rules
|
||
|
||
- Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45
|
||
- Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9
|
||
|
||
### Response and remediation
|
||
|
||
- Initiate the incident response process based on the outcome of the triage.
|
||
- Ensure that you have deployed the latest Microsoft [Security Update](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350) (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft [released](https://support.microsoft.com/en-us/help/4569509/windows-dns-server-remote-code-execution-vulnerability) a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied.
|
||
- Maintain backups of your critical systems to aid in quick recovery.
|
||
- Perform routine vulnerability scans of your systems, monitor [CISA advisories](https://us-cert.cisa.gov/ncas/current-activity) and patch identified vulnerabilities.
|
||
- If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
|
||
"""
|
||
references = [
|
||
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
|
||
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
|
||
"https://github.com/maxpl0it/CVE-2020-1350-DoS",
|
||
"https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability",
|
||
]
|
||
risk_score = 47
|
||
rule_id = "11013227-0301-4a8c-b150-4db924484475"
|
||
severity = "medium"
|
||
tags = [
|
||
"Use Case: Threat Detection",
|
||
"Tactic: Lateral Movement",
|
||
"Resources: Investigation Guide",
|
||
"Use Case: Vulnerability",
|
||
]
|
||
timestamp_override = "event.ingested"
|
||
type = "query"
|
||
|
||
query = '''
|
||
(event.dataset: network_traffic.dns or (event.category: (network or network_traffic) and destination.port: 53)) and
|
||
(event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000
|
||
'''
|
||
|
||
|
||
[[rule.threat]]
|
||
framework = "MITRE ATT&CK"
|
||
[[rule.threat.technique]]
|
||
id = "T1210"
|
||
name = "Exploitation of Remote Services"
|
||
reference = "https://attack.mitre.org/techniques/T1210/"
|
||
|
||
|
||
[rule.threat.tactic]
|
||
id = "TA0008"
|
||
name = "Lateral Movement"
|
||
reference = "https://attack.mitre.org/tactics/TA0008/"
|
||
|