Windows DNS server vulnerability (CVE-2020-1350) rules #69
Conversation
brokensound77
added
v7.10.0
Rule: New
brokensound77
requested review from
peasead,
rw-access,
dstepanic and
seth-goodwin
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1133" |
There was a problem hiding this comment.
T1569 System Services would likely be a better fit here, but we need to update mapping first, which may need some refactoring to account for sub-techniques
There was a problem hiding this comment.
yep. adding xref to #52
|
We should add triage and any relevant intel to |
Co-authored-by: Andrew Pease <[email protected]>
Co-authored-by: Andrew Pease <[email protected]>
dstepanic
changed the title
| risk_score = 73 | ||
| rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9" | ||
| severity = "high" | ||
| tags = ["CVE-2020-1350", "Elastic", "Windows"] |
There was a problem hiding this comment.
I believe these tags populate in the UI. Do we want to have this specific CVE tag in the UI as opposed to just the standard “Windows” tag.
There was a problem hiding this comment.
👋
Yep, I think so. Since we tend to normally target behavior rather than specific vulnerabilities, rules specific to a CVE will be less frequent. In cases where the CVE is a 10 and has significant impact, if it makes sense to have a rule, I think it makes sense to tag the CVE it may be more commonly known by.
There was a problem hiding this comment.
I don't think we should treat tags as one-offs, but more as ways to build medium-large groups of rules.
I think we should instead support more threat frameworks than just ATT&CK
| tags = ["CVE-2020-1350", "Elastic", "Windows"] | |
| tags = ["Elastic", "Windows"] |
There was a problem hiding this comment.
I agree @rw-access. I think it could get a bit messy and dated over an extended period of time to have one off tags, unless we had a better way to sort or visualize tags in the UI.
There was a problem hiding this comment.
We had a discussion and have decided to remove any mention of CVE from tags altogether. We still have to come to a decision on when we want to associate a CVE to a rule in general (only rules specific to a CVE, only CVE 10, etc.), but once we figure that it, it would most likely be better fit within the threat array, such as
threat = [{
"framework": "CVE",
"cve_list": [
{
"ID": "2020-1350",
"CVSS": 10
}
]
}]+- any other relevant fields we would want to build into that structure. The API would need updating to support this first as well (cc @spong)
Once we agree on structure, we can create an issue
Update risk score Co-authored-by: Justin Ibarra <[email protected]>
Co-authored-by: dstepanic17 <[email protected]>
Issues
resolves #68
Summary
This creates three rules related to CVE-2020-1350 - Windows DNS server vulnerability.
Only the network rule is specific to the CVE, with the others resilient enough to identify anomalous behavior via any manipulation of the service.While the rules will help detect potential exploitation of the CVE, they are written to detect anomalies around the DNS server in general.