Loading

Abnormally Large DNS Response

Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.

Rule type: query
Rule indices:

  • logs-network_traffic.*
  • logs-panw.panos*

Rule Severity: medium
Risk Score: 47
Runs every:
Searches indices from: ``
Maximum alerts per execution: 100
References:

Tags:

  • Use Case: Threat Detection
  • Tactic: Lateral Movement
  • Tactic: Impact
  • Resources: Investigation Guide
  • Use Case: Vulnerability
  • Data Source: PAN-OS
  • Data Source: Network Traffic

Version: 111
Rule authors:

  • Elastic

Rule license: Elastic License v2

Detection alerts from this rule indicate possible anomalous activity around large byte DNS responses from a Windows DNS server. This detection rule was created based on activity represented in exploitation of vulnerability (CVE-2020-1350) also known as SigRed during July 2020.

  • This specific rule is sourced from network log activity such as DNS or network level data. It's important to validate the source of the incoming traffic and determine if this activity has been observed previously within an environment.
  • Activity can be further investigated and validated by reviewing any associated Intrusion Detection Signatures (IDS) alerts.
  • Further examination can include a review of the dns.question_type network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for SIG or RRSIG data.
  • Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale internet vulnerability scanning.
  • Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment.
  • Based on this rule, which looks for a threshold of 65k bytes, activity below this value is expected to be legitimate. In packet capture files received by the SANS Internet Storm Center, byte responses in observed attacks were all greater than 65k bytes.
  • This activity can be triggered by compliance/vulnerability scanning or compromise assessment; it's important to determine the source of the activity and potentially allowlist the source host.
  • Network security devices such as PAN-OS firewalls, Fortinet, and NetFlow exporters record destination.bytes as the total bytes across an entire session rather than a single DNS response. Long-lived flow records (event.duration > 60 seconds) with event.action of flow_terminated or network_flow are excluded to reduce this noise. Duration is used rather than packet count because a genuine SigRed TCP exchange completes in seconds and cannot be made to exceed 60 seconds by an attacker continuing to use the connection.
  • Unusual Child Process of dns.exe - 8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45
  • Unusual File Modification by dns.exe - c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9
  • Initiate the incident response process based on the outcome of the triage.
  • Ensure that you have deployed the latest Microsoft Security Update (Monthly Rollup or Security Only) and restarted the patched machines. If unable to patch immediately, Microsoft released a registry-based workaround that doesn’t require a restart. This can be used as a temporary solution before the patch is applied.
  • Maintain backups of your critical systems to aid in quick recovery.
  • Perform routine vulnerability scans of your systems, monitor CISA advisories and patch identified vulnerabilities.
  • If you observe a true positive, implement a remediation plan and monitor host-based artifacts for additional post-exploitation behavior.
((event.category:(network or network_traffic) and destination.port:53)
      or network.protocol:"dns"
      or data_stream.dataset:(network_traffic.dns or zeek.dns))
    and destination.bytes >= 65000
    and event.type:("allowed" or "end" or "protocol" or "start")
and not (
  event.action:("flow_terminated" or "network_flow")
  and event.duration > 60000000000
)

Framework: MITRE ATT&CK

Framework: MITRE ATT&CK