security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e897a6760429ea46da15ebbca1609b62fd37fee9
sigma-rules/rules/windows/lateral_movement_dns_server_overflow.toml
T
Justin Ibarra 6ef5c53b0c Cleanup note field in rules (#1194) 
* standardize usage of note field
2021-05-10 13:40:56 -08:00

62 lines
2.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/07/16"
maturity = "production"
updated_date = "2021/05/10"
[rule]
author = ["Elastic"]
description = """
Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in
Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
"""
false_positives = [
"""
Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is
predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an
authorized vulnerability scan or compromise assessment.
""",
]
index = ["packetbeat-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Abnormally Large DNS Response"
note = """## Triage and analysis
### Investigating Large DNS Responses
Detection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:
- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.
- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment."""
references = [
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
"https://github.com/maxpl0it/CVE-2020-1350-DoS",
]
risk_score = 47
rule_id = "11013227-0301-4a8c-b150-4db924484475"
severity = "medium"
tags = ["Elastic", "Network", "Threat Detection", "Lateral Movement"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.category:(network or network_traffic) and destination.port:53 and
(event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
Reference in New Issue View Git Blame Copy Permalink