Leave us a Message:

CVE-2020-1350 – SigRed – Monitoring By SIEM

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email

SIEM Content Packages For CVE-2020-1350 – SigRed By CyberSIEM

“SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” (Check Point)

https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/

 

To successfully exploit the vulnerability, researchers used DNS name compression in DNS response to increasing the size of the allocation by a large amount. 

Recommendations:

In July 2020, Microsoft released patches for the vulnerability.

We strongly recommend users to patch their Windows DNS Servers in order to prevent the exploitation of this vulnerability.

Link to the MSRC library for downloading the KB:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350

 

Download:

Our packages are available on the following links.

We are regularly updating the package with new resources to enrich the SIEM detection methods for this attack.

Download from GitHub:

https://github.com/cybersiem/CyberSIEM-IR/tree/master/CVE-2020-1350_SigRed

 

Or download from this site:

ArcSight:

https://www.cybersiem.com/download/sigred-arcsight

Requirements:

Collection for any on these event types:

  • DNS Debug Log
  • Firewall Logs – Bytes-in value is needed

 

QRadar:

https://www.cybersiem.com/download/sigred-qradar

Requirements:

  • DNS Debug Log

 

ArcSight Package Overview:

We’ve created an ArcSight package that detects suspicious DNS requests over the FW and the DNS debug log.

The Package recognizes large DNS response packets over TCP protocol.

 

 

QRadar Package Overview:

Rule:

Action: Dispatch New Event

 

Search:

 

 

Custom Properties:

 

 


Important These packages will work properly in optimized environments only. Make sure the event collection is configured properly – without any data loss or delays.

You are welcome to contact us for any further details.


 

Emily Dubnik – [email protected]

Yarin Zaddik – [email protected]

Maayan Shlomo – [email protected]

Michael Vashinsky – [email protected]

 

Share this post

Share on facebook
Share on linkedin
Share on twitter
Share on whatsapp
Share on email
Emily Dubnik

Emily Dubnik

Leave a Reply

About Us

We increase the security of organizational information and anticipate threats before they cause damage, and improve the level of protection of organizational information, by providing end-to-end SIEM solution.

Recent Posts

Skip to content