Threat Hunting Rules to Detect Exploitation of CVE-2020-1350 (SIGRed)

Today we introduce a special digest of content that helps to detect exploitation of a critical vulnerability in Windows DNS Servers. The vulnerability became known only two days ago, but since then, both the SOC Prime team (represented by Nate Guagenty) and the Threat Bounty Program participants have published 7+ rules for detecting various ways of exploiting CVE-2020-1350 vulnerability (aka SIGRed), and we will update this post as new rules are released.

This (Patch) Tuesday Microsoft fixed 123 security flaws and CVE-2020-1350 was the most severe bug among them. This is a critical wormable RCE vulnerability in a Windows DNS Server, which can affect all Windows server versions and can be triggered by a malicious DNS response. This vulnerability hasn’t been involved in active attacks yet. Still, we are doing all our best to help you prevent attacks and analyze their hazardous impact on your system prior to the actual exploit. Considering the vulnerability’s high-risk CVSS base score of 10.0, we really recommend implementing this content from Threat Detection Marketplace to make sure that your infrastructure can stand up against the attackers’ attempts while the patch management procedures follow up.

CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) by SOC Prime Team: https://tdm.socprime.com/tdm/info/kiaGjZKlbr51/zqmpUXMBSh4W_EKG7NlL/

CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via proxy) by SOC Prime Team: https://tdm.socprime.com/tdm/info/mVWveD0Kpws4/YqmkUXMBSh4W_EKGK9be/

CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via dns) by SOC Prime Team: https://tdm.socprime.com/tdm/info/kFS0cuARbWPi/lamcUXMBSh4W_EKGadFM/

Maximum length of a DNS message (over TCP) Registry Modification by Den Iuzvik: https://tdm.socprime.com/tdm/info/nsOIPkW36EOL/0tcSV3MBPeJ4_8xcXcvY/

CVE-2020-1350 (SIGRed) – Windows DNS DoS Exploit by Emir Erdogan: https://tdm.socprime.com/tdm/info/2q5UBrjizMau/vq0YV3MBSh4W_EKGajbo/

CVE-2020-1350 – Windows DNS Server Remote Code Execution Vulnerability by Arunkumar Krishna: https://tdm.socprime.com/tdm/info/HTQs2ZylIDcg/s60VV3MBSh4W_EKGbTR0/#s60VV3MBSh4W_EKGbTR0

YARA rule CVE-2020-1350 – Windows DNS Server Remote Code Execution Vulnerability by Arunkumar Krishna: https://tdm.socprime.com/tdm/info/ZZjdbck3YBvC/MamvUXMBSh4W_EKGJN0s/

DNS.exe Crashing (Possible CVE-2020-1350 detection) by Lee Archinal: https://tdm.socprime.com/tdm/info/juvemAPHz2Co/hsDlcHMBQAH5UgbBe0ro/?p=1

Sigma rule to detect the exploitation of Windows DNS RCE CVE-2020-1350 by Florian Roth: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_2020_1350.yml

This rule can be translated with Uncoder: https://uncoder.io/

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio, 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact, Exfiltration, Lateral Movement, Defense Evasion, Command and Control, Initial Access, Privilege Escalation

Techniques: Exploit Public-Facing Application (T1190), Exploitation for Privilege Escalation (T1068), Endpoint Denial of Service (T1499), Data Transfer Size Limits (T1030), Exploitation of Remote Services (T1210), Modify Registry (T1112), Data Encoding (T1132)

Stay tuned!