elastic · brokensound77 · Jul 17, 2020 · Jul 16, 2020 · Jul 16, 2020 · Jul 16, 2020
@@ -238,7 +238,12 @@ def build(cls, path=None, rule_type=None, required_only=True, save=True, **kwarg
                     tactic = schema_prompt('mitre tactic name', type='string', enum=TACTICS, required=True)
                     technique_ids = schema_prompt(f'technique IDs for {tactic}', type='array', required=True,
                                                   enum=list(technique_lookup))
-                    threat_map.append(build_threat_map_entry(tactic, *technique_ids))
+
+                    try:
+                        threat_map.append(build_threat_map_entry(tactic, *technique_ids))
+                    except KeyError as e:
+                        click.secho(f'Unknown ID: {e.args[0]}')
+                        continue
 
                 if len(threat_map) > 0:
                     contents[name] = threat_map

diff --git a/rules/windows/execution_unusual_dns_service_children.toml b/rules/windows/execution_unusual_dns_service_children.toml
@@ -0,0 +1,59 @@
+[metadata]
+creation_date = "2020/07/16"
+ecs_version = ["1.5.0"]
+maturity = "production"
+updated_date = "2020/07/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which
+may indicate activity related to remote code execution or other forms of exploitation.
+"""
+false_positives = [
+    """
+    Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low
+    occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe
+    to spawn.
+    """,
+]
+index = ["winlogbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Unusual Child Process of dns.exe"
+note = """### Investigating Unusual Child Process
+Detection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
+- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).
+- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.
+- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.
+- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint."""
+references = [
+    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+    "https://github.com/maxpl0it/CVE-2020-1350-DoS",
+]
+risk_score = 73
+rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45"
+severity = "high"
+tags = ["Elastic", "Windows"]
+type = "query"
+
+query = '''
+event.category:process and event.type:start and
+  process.parent.name:dns.exe and
+  not process.name:conhost.exe
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1133"
+name = "External Remote Services"
+reference = "https://attack.mitre.org/techniques/T1133/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
diff --git a/rules/windows/execution_unusual_dns_service_file_writes.toml b/rules/windows/execution_unusual_dns_service_file_writes.toml
@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2020/07/16"
+ecs_version = ["1.5.0"]
+maturity = "production"
+updated_date = "2020/07/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which
+may indicate activity related to remote code execution or other forms of exploitation.
+"""
+index = ["winlogbeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Unusual File Modification by dns.exe"
+note = """### Investigating Unusual File Write
+Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
+- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms. 
+- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care."""
+references = [
+    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+]
+risk_score = 73
+rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
+severity = "high"
+tags = ["Elastic", "Windows"]
+type = "query"
+
+query = '''
+event.category:file and process.name:dns.exe and
+  not file.name:dns.log
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1133"
+name = "External Remote Services"
+reference = "https://attack.mitre.org/techniques/T1133/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
diff --git a/rules/windows/lateral_movement_dns_server_overflow.toml b/rules/windows/lateral_movement_dns_server_overflow.toml
@@ -0,0 +1,58 @@
+[metadata]
+creation_date = "2020/07/16"
+ecs_version = ["1.5.0"]
+maturity = "production"
+updated_date = "2020/07/16"
+
+[rule]
+author = ["Elastic"]
+description = """
+Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in
+Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
+"""
+false_positives = [
+    """
+    Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is
+    predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an
+    authorized vulnerability scan or compromise assessment.
+    """,
+]
+index = ["packetbeat-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License"
+name = "Abnormally Large DNS Request"
+note = """### Investigating Large DNS Responses
+Detection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:
+- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.
+- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
+- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
+- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment."""
+references = [
+    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
+    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
+    "https://github.com/maxpl0it/CVE-2020-1350-DoS",
+]
+risk_score = 47
+rule_id = "11013227-0301-4a8c-b150-4db924484475"
+severity = "medium"
+tags = ["Elastic", "Network", "Windows"]
+type = "query"
+
+query = '''
+event.category:(network or network_traffic) and destination.port:53 and
+  (event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1210"
+name = "Exploitation of Remote Services"
+reference = "https://attack.mitre.org/techniques/T1210/"
+
+
+[rule.threat.tactic]
+id = "TA0008"
+name = "Lateral Movement"
+reference = "https://attack.mitre.org/tactics/TA0008/"