Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows DNS server vulnerability (CVE-2020-1350) rules #69

Merged
merged 15 commits into from
Jul 17, 2020
Merged

Windows DNS server vulnerability (CVE-2020-1350) rules #69

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
852dd8b
Add rules for Windows DNS Exploitation
brokensound77 Jul 16, 2020
4c1a5a3
Add unusual dns file writes rule
brokensound77 Jul 16, 2020
9745a16
Fix typo in rules
brokensound77 Jul 16, 2020
33e13bd
Update risk scores and FP
brokensound77 Jul 16, 2020
c387b51
Add note to rule
brokensound77 Jul 17, 2020
eaf4c08
Update description of rule
brokensound77 Jul 17, 2020
beff550
Updates to notes, names, and descriptions from feedback
brokensound77 Jul 17, 2020
5317444
Update rules/windows/lateral_movement_dns_server_overflow.toml
seth-goodwin Jul 17, 2020
7dc1065
Add note to file modification rule
brokensound77 Jul 17, 2020
745203a
Merge branch 'main' into dns_sig_vuln
brokensound77 Jul 17, 2020
91c724f
Updated descriptions and removed cve tag
brokensound77 Jul 17, 2020
2b24b29
Merge remote-tracking branch 'origin/dns_sig_vuln' into dns_sig_vuln
brokensound77 Jul 17, 2020
f2b8f01
Merge branch 'main' into dns_sig_vuln
brokensound77 Jul 17, 2020
06e84a9
Remove T1133 technique from network rule
brokensound77 Jul 17, 2020
f2c2bcb
Merge remote-tracking branch 'origin/dns_sig_vuln' into dns_sig_vuln
brokensound77 Jul 17, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion detection_rules/rule.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -239,7 +239,12 @@ def build(cls, path=None, rule_type=None, required_only=True, save=True, **kwarg
tactic = schema_prompt('mitre tactic name', type='string', enum=TACTICS, required=True)
technique_ids = schema_prompt(f'technique IDs for {tactic}', type='array', required=True,
enum=list(technique_lookup))
threat_map.append(build_threat_map_entry(tactic, *technique_ids))

try:
threat_map.append(build_threat_map_entry(tactic, *technique_ids))
except KeyError as e:
brokensound77 marked this conversation as resolved.
Show resolved Hide resolved
click.secho(f'Unknown ID: {e.args[0]}')
continue

if len(threat_map) > 0:
contents[name] = threat_map
Expand Down
56 changes: 56 additions & 0 deletions rules/windows/execution_unusual_dns_service_children.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2020/07/16"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/16"

[rule]
author = ["Elastic"]
description = "An unexpected process spawned from dns.exe, which is the process responsible for DNS server services."
brokensound77 marked this conversation as resolved.
Show resolved Hide resolved
false_positives = [
"""
Werfault.exe will legitimately spawn when dns.exe crashes, but the DNS service is very stable and so this is a low
occurring event. Denial of Service (DoS) attempts by intentionally crashing the service will also cause werfault.exe
to spawn.
""",
]
index = ["winlogbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Unusual Child Process of dns.exe"
note = """### Investigating Unusual Child Process
Detection alerts from this rule indicate potential suspicious child processes spawned after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
- Any suspicious or abnormal child process spawned from dns.exe should be reviewed and investigated with care. It's impossible to predict what an adversary may deploy as the follow-on process after the exploit, but built-in discovery/enumeration utilities should be top of mind (whoami.exe, netstat.exe, systeminfo.exe, tasklist.exe).
- Built-in Windows programs that contain capabilities used to download and execute additional payloads should also be considered. This is not an exhaustive list, but ideal candidates to start out would be: mshta.exe, powershell.exe, regsvr32.exe, rundll32.exe, wscript.exe, wmic.exe.
- If the DoS exploit is successful and DNS Server service crashes, be mindful of potential child processes related to werfault.exe occurring.
- Any subsequent activity following the child process spawned related to execution/network activity should be thoroughly reviewed from the endpoint."""
references = [
brokensound77 marked this conversation as resolved.
Show resolved Hide resolved
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
"https://github.com/maxpl0it/CVE-2020-1350-DoS",
]
risk_score = 73
rule_id = "8c37dc0e-e3ac-4c97-8aa0-cf6a9122de45"
severity = "high"
tags = ["CVE-2020-1350", "Elastic", "Windows"]
type = "query"

query = '''
event.category:process and event.type:start and
process.parent.name:dns.exe and
not process.name:conhost.exe
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

T1569 System Services would likely be a better fit here, but we need to update mapping first, which may need some refactoring to account for sub-techniques

Copy link
Contributor

@rw-access rw-access Jul 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep. adding xref to #52

name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
44 changes: 44 additions & 0 deletions rules/windows/execution_unusual_dns_service_file_writes.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
[metadata]
creation_date = "2020/07/16"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/16"

[rule]
author = ["Elastic"]
description = """
An unexpected file was modified by dns.exe, which is responsible for DNS Server services. This could indicate that the
service has been maliciously modified or controlled.
"""
index = ["winlogbeat-*"]
language = "kuery"
license = "Elastic License"
name = "Unusual File Modification by dns.exe"
references = [
brokensound77 marked this conversation as resolved.
Show resolved Hide resolved
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
]
risk_score = 73
rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
severity = "high"
tags = ["CVE-2020-1350", "Elastic", "Windows"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe these tags populate in the UI. Do we want to have this specific CVE tag in the UI as opposed to just the standard “Windows” tag.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👋

Yep, I think so. Since we tend to normally target behavior rather than specific vulnerabilities, rules specific to a CVE will be less frequent. In cases where the CVE is a 10 and has significant impact, if it makes sense to have a rule, I think it makes sense to tag the CVE it may be more commonly known by.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we should treat tags as one-offs, but more as ways to build medium-large groups of rules.

I think we should instead support more threat frameworks than just ATT&CK

Suggested change
tags = ["CVE-2020-1350", "Elastic", "Windows"]
tags = ["Elastic", "Windows"]

Copy link
Contributor

@bm11100 bm11100 Jul 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree @rw-access. I think it could get a bit messy and dated over an extended period of time to have one off tags, unless we had a better way to sort or visualize tags in the UI.

Copy link
Contributor Author

@brokensound77 brokensound77 Jul 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We had a discussion and have decided to remove any mention of CVE from tags altogether. We still have to come to a decision on when we want to associate a CVE to a rule in general (only rules specific to a CVE, only CVE 10, etc.), but once we figure that it, it would most likely be better fit within the threat array, such as

threat = [{
    "framework": "CVE",
    "cve_list": [
        {
            "ID": "2020-1350",
            "CVSS": 10
        }
    ]
}]

+- any other relevant fields we would want to build into that structure. The API would need updating to support this first as well (cc @spong)

Once we agree on structure, we can create an issue

type = "query"

query = '''
event.category:file and process.name:dns.exe and
not file.name:dns.log
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"


[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
70 changes: 70 additions & 0 deletions rules/windows/lateral_movement_dns_server_overflow.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
[metadata]
creation_date = "2020/07/16"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/07/16"

[rule]
author = ["Elastic"]
description = """
Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers which result in
Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service.
"""
false_positives = [
"""
Environments that leverage DNS responses over 60k bytes will result in false positives - if this traffic is
predictable and expected, it should be filtered out. Additionally, this detection rule could be triggered by an
authorized vulnerability scan or compromise assessment.
""",
]
index = ["packetbeat-*", "filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Abnormally Large DNS Request"
note = """### Investigating Large DNS Responses
Detection alerts from this rule indicate an attempt was made to exploit CVE-2020-1350 (SigRed) through the use of large DNS responses on a Windows DNS server. Here are some possible avenues of investigation:
- Investigate any corresponding Intrusion Detection Signatures (IDS) alerts that can validate this detection alert.
- Examine the `dns.question_type` network fieldset with a protocol analyzer, such as Zeek, Packetbeat, or Suricata, for `SIG` or `RRSIG` data.
- Validate the patch level and OS of the targeted DNS server to validate the observed activity was not large-scale Internet vulnerability scanning.
- Validate that the source of the network activity was not from an authorized vulnerability scan or compromise assessment."""
references = [
"https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
"https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
"https://github.com/maxpl0it/CVE-2020-1350-DoS",
]
risk_score = 47
rule_id = "11013227-0301-4a8c-b150-4db924484475"
severity = "medium"
tags = ["CVE-2020-1350", "Elastic", "Network", "Windows"]
type = "query"

query = '''
event.category:(network or network_traffic) and destination.port:53 and
(event.dataset:zeek.dns or type:dns or event.type:connection) and network.bytes > 60000
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"


[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
brokensound77 marked this conversation as resolved.
Show resolved Hide resolved
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1133"
name = "External Remote Services"
reference = "https://attack.mitre.org/techniques/T1133/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"