Detection of Abnormally Large DNS Responses Indicative of CVE-2020-1350 Exploitation
This rule detects abnormally large DNS responses indicative of exploitation attempts targeting a known overflow vulnerability (CVE-2020-1350) in Windows DNS servers, potentially leading to Remote Code Execution (RCE) or Denial of Service (DoS).
This threat brief focuses on the detection of abnormally large DNS responses that may indicate exploitation attempts against CVE-2020-1350, also known as SigRed. This vulnerability affects Windows DNS servers and can lead to Remote Code Execution (RCE) or Denial of Service (DoS) if successfully exploited. The vulnerability resides in how the Windows DNS server parses incoming DNS queries, specifically related to signature records (SIG). An attacker can craft a malicious DNS response that triggers a buffer overflow when processed by the DNS server. This detection rule focuses on identifying network traffic exhibiting abnormally large DNS response sizes, specifically those exceeding 60KB. While some legitimate DNS traffic may approach this size, responses significantly larger are often indicative of exploitation attempts.
Attack Chain
- Attacker sends a specially crafted DNS query to a vulnerable Windows DNS server. The query is designed to trigger the overflow.
- The vulnerable DNS server receives the malicious DNS query and attempts to parse it.
- Due to the vulnerability (CVE-2020-1350), the DNS server improperly handles the crafted DNS response, leading to a buffer overflow.
- The buffer overflow allows the attacker to overwrite critical memory regions within the DNS server process (dns.exe).
- The attacker gains control of the DNS server process, potentially executing arbitrary code.
- The attacker leverages the compromised DNS server to move laterally within the network, targeting other internal systems. This may involve using the DNS server as a pivot point for further exploitation.
- Alternatively, the overflow causes the DNS service to crash, leading to a Denial of Service (DoS) condition.
- The attacker achieves their objective: either gaining a foothold for lateral movement or disrupting DNS services.
Impact
Successful exploitation of CVE-2020-1350 can have severe consequences. An attacker can gain complete control of the DNS server, allowing them to intercept and manipulate DNS traffic, redirect users to malicious websites, or compromise other systems on the network. A successful attack could lead to data exfiltration, ransomware deployment, or other malicious activities. The vulnerability also poses a DoS risk, potentially disrupting critical network services.
Recommendation
- Deploy the Sigma rule
Abnormally Large DNS Responseto your SIEM to detect potentially malicious DNS traffic based on response size. Tune the threshold (60000 bytes) based on your environment's legitimate DNS traffic patterns. - Investigate any alerts generated by the Sigma rule
Abnormally Large DNS Responseby examining associated Intrusion Detection Signatures (IDS) alerts, and reviewing thedns.question_typenetwork fieldset. - Apply the latest Microsoft Security Update for CVE-2020-1350 to patch vulnerable Windows DNS servers. If immediate patching is not possible, implement the registry-based workaround provided by Microsoft.
- Monitor network traffic for unusual activity originating from DNS servers, as successful exploitation can lead to lateral movement.
Detection coverage 2
Abnormally Large DNS Response
mediumDetects DNS responses exceeding 60KB, potentially indicating CVE-2020-1350 exploitation attempts.
DNS Response Size Anomaly
mediumDetects abnormally large DNS responses indicating potential exploitation attempts.
Detection queries are available on the platform. Get full rules →