Detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed)# CVE-2020-1350 (AKA SIGRed) v0.30
## Summary:
A Zeek package for detection of attempts to exploit Microsoft Windows DNS server via CVE-2020-1350 (AKA SIGRed - CVE Score of 10.0)
## References:
https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1350
https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350
## Notices raised :
| Notice | Fidelity |
| -------- | ---------------------- |
|CVE_2020_1350::CVE_2020_1350_Detected_High_Confidence CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (High Confidence, large SIG/KEY response) Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|High|
|Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS RRSIG/TKEY response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium/High|
|Potential CVE-2020-1350 Windows DNS exploit (CVE10) has been detected (large DNS response). Refer to links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=ALAS-2020-1350 and https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/|Medium/High|
By default, all notices are enabled, however if you'd like to enable only the High Fidelity notice (due to noise/performance or other reasons) you can change the option in `scripts/CVE-2020-1350.zeek` to True i.e `option only_enable_high_fidelity_notice: bool = T;`
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view