EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Detect Windows DNS SIGRed via Zeek

The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.

MITRE ATT&CK

T1203

Detection Query

| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where
  DNS.query_type IN (SIG,KEY) by DNS.flow_id
| rename DNS.flow_id as flow_id
| append [
  | tstats  `security_content_summariesonly` count
  from datamodel=Network_Traffic where
  All_Traffic.bytes_in>65000
  by All_Traffic.flow_id
  | rename All_Traffic.flow_id as flow_id
]
| stats count by flow_id
| where count>1
| fields - count'
| `detect_windows_dns_sigred_via_zeek_filter`

Author

Shannon Davis, Splunk

Created

2026-03-10

Tags

Windows DNS SIGRed CVE-2020-1350
Raw Content
name: Detect Windows DNS SIGRed via Zeek
id: c5c622e4-d073-11ea-87d0-0242ac130003
version: 10
date: '2026-03-10'
author: Shannon Davis, Splunk
status: experimental
type: TTP
description: The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.
data_source: []
search: |
    | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where
      DNS.query_type IN (SIG,KEY) by DNS.flow_id
    | rename DNS.flow_id as flow_id
    | append [
      | tstats  `security_content_summariesonly` count
      from datamodel=Network_Traffic where
      All_Traffic.bytes_in>65000
      by All_Traffic.flow_id
      | rename All_Traffic.flow_id as flow_id
    ]
    | stats count by flow_id
    | where count>1
    | fields - count'
    | `detect_windows_dns_sigred_via_zeek_filter`
how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format.  We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json.  The Network Resolution and Network Traffic datamodels are in use for this search.
known_false_positives: No false positives have been identified at this time.
references: []
rba:
    message: Potential SIGRed activity detected
    risk_objects:
        - field: flow_id
          type: other
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Windows DNS SIGRed CVE-2020-1350
    asset_type: Endpoint
    cve:
        - CVE-2020-1350
    mitre_attack_id:
        - T1203
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint