EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Detect Windows DNS SIGRed via Splunk Stream

The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.

MITRE ATT&CK

T1203

Detection Query

`stream_dns`
| spath "query_type{}"
| search "query_type{}" IN (SIG,KEY)
| spath protocol_stack
| search protocol_stack="ip:tcp:dns"
| append [search `stream_tcp` bytes_out>65000]
| stats count by flow_id
| where count>1
| fields - count
| `detect_windows_dns_sigred_via_splunk_stream_filter`

Author

Shannon Davis, Splunk

Created

2026-03-10

Tags

Windows DNS SIGRed CVE-2020-1350
Raw Content
name: Detect Windows DNS SIGRed via Splunk Stream
id: babd8d10-d073-11ea-87d0-0242ac130003
version: 8
date: '2026-03-10'
author: Shannon Davis, Splunk
status: experimental
type: TTP
description: The following analytic detects attempts to exploit the SIGRed vulnerability (CVE-2020-1350) in Windows DNS servers. It leverages Splunk Stream DNS and TCP data to identify DNS SIG and KEY records, as well as TCP payloads exceeding 65KB. This activity is significant because SIGRed is a critical wormable vulnerability that allows remote code execution. If confirmed malicious, an attacker could gain unauthorized access, execute arbitrary code, and potentially disrupt services, leading to severe data breaches and infrastructure compromise. Immediate investigation and remediation are crucial to mitigate these risks.
data_source: []
search: |
    `stream_dns`
    | spath "query_type{}"
    | search "query_type{}" IN (SIG,KEY)
    | spath protocol_stack
    | search protocol_stack="ip:tcp:dns"
    | append [search `stream_tcp` bytes_out>65000]
    | stats count by flow_id
    | where count>1
    | fields - count
    | `detect_windows_dns_sigred_via_splunk_stream_filter`
how_to_implement: You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp.  Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.
known_false_positives: No false positives have been identified at this time.
references: []
rba:
    message: Potential SIGRed activity detected
    risk_objects:
        - field: flow_id
          type: other
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Windows DNS SIGRed CVE-2020-1350
    asset_type: Endpoint
    cve:
        - CVE-2020-1350
    mitre_attack_id:
        - T1203
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network