Today we introduce a special digest of content that helps to detect exploitation of a critical vulnerability in Windows DNS Servers. The vulnerability became known only two days ago, but since then, both the SOC Prime team (represented by Nate Guagenty) and the Threat Bounty Program participants have published 10+ rules for detecting various ways of exploiting CVE-2020-1350 vulnerability (aka SIGRed), and we will update this post as new rules are released.
CVE-2020-1350 – critical wormable RCE vulnerability
This (Patch) Tuesday Microsoft fixed 123 security flaws and CVE-2020-1350 was the most severe bug among them. This is a critical wormable RCE vulnerability in a Windows DNS Server, which can affect all Windows server versions and can be triggered by a malicious DNS response. Adversaries only need to send a specially generated request to the DNS server to run malicious code in the context of the LocalSystem account (a predefined local account used by the service control manager). The LocalSystem account is not recognized by the security subsystem, and according to Microsoft, the main danger of the vulnerability is that it can be used to spread a threat over a local network.
Working exploits for this vulnerability began to appear approximately two days after the publication of information about it. Initially, they could cause denial-of-service effects, but later full-fledged exploits were developed and released by security researchers (of course, advanced threat actors do not post their developments on the GitHub). This vulnerability hasn’t been involved in active attacks at the time of publication of the digest. Still, we are doing all our best to help you prevent attacks and analyze their hazardous impact on your system prior to the actual exploit. Considering the vulnerability’s high-risk CVSS base score of 10.0, we really recommend implementing this content from Threat Detection Marketplace to make sure that your infrastructure can stand up against the attackers’ attempts while the patch management procedures follow up.
Digest of content to detect SIGRed related attacks
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via cmdline) by SOC Prime Team: https://tdm.socprime.com/tdm/info/kiaGjZKlbr51/zqmpUXMBSh4W_EKG7NlL/
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via proxy) by SOC Prime Team: https://tdm.socprime.com/tdm/info/mVWveD0Kpws4/YqmkUXMBSh4W_EKGK9be/
CVE-2020-1350 DNS Remote Code Exploit [SIGRED] (via dns) by SOC Prime Team: https://tdm.socprime.com/tdm/info/kFS0cuARbWPi/lamcUXMBSh4W_EKGadFM/
Maximum length of a DNS message (over TCP) Registry Modification by Den Iuzvik: https://tdm.socprime.com/tdm/info/nsOIPkW36EOL/0tcSV3MBPeJ4_8xcXcvY/
CVE-2020-1350 (SIGRed) – Windows DNS DoS Exploit by Emir Erdogan: https://tdm.socprime.com/tdm/info/2q5UBrjizMau/vq0YV3MBSh4W_EKGajbo/
CVE-2020-1350 – Windows DNS Server Remote Code Execution Vulnerability by Arunkumar Krishna: https://tdm.socprime.com/tdm/info/HTQs2ZylIDcg/s60VV3MBSh4W_EKGbTR0/#s60VV3MBSh4W_EKGbTR0
YARA rule CVE-2020-1350 – Windows DNS Server Remote Code Execution Vulnerability by Arunkumar Krishna: https://tdm.socprime.com/tdm/info/ZZjdbck3YBvC/MamvUXMBSh4W_EKGJN0s/
(SIGRED) CVE-2020-1350 DNS Remote Code Exploit [via HTTP/Proxy Logs] by SOC Prime team: https://tdm.socprime.com/tdm/info/mVWveD0Kpws4/Aa2kUXMBQAH5UgbBLQQH/
DNS.exe Crashing (Possible CVE-2020-1350 detection) by Lee Archinal: https://tdm.socprime.com/tdm/info/juvemAPHz2Co/hsDlcHMBQAH5UgbBe0ro/?p=1
Sigma rule to detect the exploitation of Windows DNS RCE CVE-2020-1350 by Florian Roth: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_2020_1350.yml
This rule can be translated with Uncoder: https://uncoder.io/
The rules have translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio,
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Impact, Exfiltration, Lateral Movement, Defense Evasion, Command and Control, Initial Access, Privilege Escalation
Techniques: Exploit Public-Facing Application (T1190), Exploitation for Privilege Escalation (T1068), Endpoint Denial of Service (T1499), Data Transfer Size Limits (T1030), Exploitation of Remote Services (T1210), Modify Registry (T1112), Data Encoding (T1132)