EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Detect Windows DNS SIGRed via Zeek

The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.

Detection Query

| tstats `security_content_summariesonly` count from datamodel=Network_Resolution where
  DNS.query_type IN (SIG,KEY) by DNS.flow_id
| rename DNS.flow_id as flow_id
| append [
  | tstats  `security_content_summariesonly` count
  from datamodel=Network_Traffic where
  All_Traffic.bytes_in>65000
  by All_Traffic.flow_id
  | rename All_Traffic.flow_id as flow_id
]
| stats count by flow_id
| where count>1
| fields - count'
| `detect_windows_dns_sigred_via_zeek_filter`

Author

Shannon Davis, Splunk

Raw Content
name: Detect Windows DNS SIGRed via Zeek
id: c5c622e4-d073-11ea-87d0-0242ac130003
version: 11
creation_date: '2020-08-04'
modification_date: '2026-05-13'
author: Shannon Davis, Splunk
status: experimental
type: TTP
description: The following analytic detects the presence of SIGRed, a critical DNS vulnerability, using Zeek DNS and Zeek Conn data. It identifies specific DNS query types (SIG and KEY) and checks for high data transfer within a flow. This detection is significant because SIGRed allows attackers to execute remote code on Windows DNS servers, potentially leading to unauthorized access and control. If confirmed malicious, this activity could result in data exfiltration, service disruption, or further network compromise. Immediate investigation and mitigation, such as patching or isolating the affected server, are crucial.
data_source: []
search: |
    | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where
      DNS.query_type IN (SIG,KEY) by DNS.flow_id
    | rename DNS.flow_id as flow_id
    | append [
      | tstats  `security_content_summariesonly` count
      from datamodel=Network_Traffic where
      All_Traffic.bytes_in>65000
      by All_Traffic.flow_id
      | rename All_Traffic.flow_id as flow_id
    ]
    | stats count by flow_id
    | where count>1
    | fields - count'
    | `detect_windows_dns_sigred_via_zeek_filter`
how_to_implement: You must be ingesting Zeek DNS and Zeek Conn data into Splunk. Zeek data should also be getting ingested in JSON format.  We are detecting SIG and KEY records via bro:dns:json and TCP payload over 65KB in size via bro:conn:json.  The Network Resolution and Network Traffic datamodels are in use for this search.
known_false_positives: No false positives have been identified at this time.
references: []
finding:
    title: Potential SIGRed activity detected [ $flow_id$ ]
    entity:
        field: flow_id
        type: other
        score: 50
analytic_story:
    - Windows DNS SIGRed CVE-2020-1350
asset_type: Endpoint
cve:
    - CVE-2020-1350
mitre_attack_id:
    - T1203
product:
    - Splunk Enterprise
    - Splunk Enterprise Security
    - Splunk Cloud
category: network
security_domain: endpoint