{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-dns-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows DNS Server"],"_cs_severities":["medium"],"_cs_tags":["sigred","dns-server","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of abnormally large DNS responses that may indicate exploitation attempts against CVE-2020-1350, also known as SigRed. This vulnerability affects Windows DNS servers and can lead to Remote Code Execution (RCE) or Denial of Service (DoS) if successfully exploited. The vulnerability resides in how the Windows DNS server parses incoming DNS queries, specifically related to signature records (SIG). An attacker can craft a malicious DNS response that triggers a buffer overflow when processed by the DNS server. This detection rule focuses on identifying network traffic exhibiting abnormally large DNS response sizes, specifically those exceeding 60KB. While some legitimate DNS traffic may approach this size, responses significantly larger are often indicative of exploitation attempts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker sends a specially crafted DNS query to a vulnerable Windows DNS server. The query is designed to trigger the overflow.\u003c/li\u003e\n\u003cli\u003eThe vulnerable DNS server receives the malicious DNS query and attempts to parse it.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability (CVE-2020-1350), the DNS server improperly handles the crafted DNS response, leading to a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe buffer overflow allows the attacker to overwrite critical memory regions within the DNS server process (dns.exe).\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the DNS server process, potentially executing arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised DNS server to move laterally within the network, targeting other internal systems. This may involve using the DNS server as a pivot point for further exploitation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the overflow causes the DNS service to crash, leading to a Denial of Service (DoS) condition.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective: either gaining a foothold for lateral movement or disrupting DNS services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2020-1350 can have severe consequences. An attacker can gain complete control of the DNS server, allowing them to intercept and manipulate DNS traffic, redirect users to malicious websites, or compromise other systems on the network. A successful attack could lead to data exfiltration, ransomware deployment, or other malicious activities. The vulnerability also poses a DoS risk, potentially disrupting critical network services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAbnormally Large DNS Response\u003c/code\u003e to your SIEM to detect potentially malicious DNS traffic based on response size. Tune the threshold (60000 bytes) based on your environment's legitimate DNS traffic patterns.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eAbnormally Large DNS Response\u003c/code\u003e by examining associated Intrusion Detection Signatures (IDS) alerts, and reviewing the \u003ccode\u003edns.question_type\u003c/code\u003e network fieldset.\u003c/li\u003e\n\u003cli\u003eApply the latest Microsoft Security Update for CVE-2020-1350 to patch vulnerable Windows DNS servers. If immediate patching is not possible, implement the registry-based workaround provided by Microsoft.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual activity originating from DNS servers, as successful exploitation can lead to lateral movement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-sigred-overflow/","summary":"This rule detects abnormally large DNS responses indicative of exploitation attempts targeting a known overflow vulnerability (CVE-2020-1350) in Windows DNS servers, potentially leading to Remote Code Execution (RCE) or Denial of Service (DoS).","title":"Detection of Abnormally Large DNS Responses Indicative of CVE-2020-1350 Exploitation","url":"https://feed.craftedsignal.io/briefs/2024-01-sigred-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed - Windows DNS Server","version":"https://jsonfeed.org/version/1.1"}