SlideShare a Scribd company logo

SIGRed - Monitoring and Detecting with Splunk

A
Anthony Reinke

The document provides an overview of CVE-2020-1350, also known as SigRed, a critical vulnerability in Windows DNS servers that can be exploited to gain domain administrator rights. It discusses detection methods utilizing Splunk and Zeek for monitoring potential exploitation attempts, including practical examples and references to various tools and techniques. Additionally, it contains forward-looking statements about the company's future plans and product direction concerning the documented vulnerability.

Internet
Related topics:
Technology User Groups
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
© 2 0 2 0 S P L U N K I N C . CVE-2020-1350 / SIGRed Detection, Tips & Tricks, Bad Jokes Drew Church, Sr. Cybersecurity Advisor 2020-08-13
© 2 0 2 0 S P L U N K I N C . Agenda Introductions Overview of CVE-2020-1350/SIGRed Vulnerability Data Detecting Exploitation Attempts Q&A
During the course of this presentation, we may make forward-looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved. Forward- Looking Statements © 2 0 2 0 S P L U N K I N C .
© 2 0 2 0 S P L U N K I N C . #whoami Splunker Since August 2019 ~10 Years working for/with DoD • CyberOps Mgr, RMF SCA/Validator • FLTCYBERCOM Action Officer • Vuln. Mgmt, System Admin, AppDev US Navy Reservist, 1825, ENS (O-1) Drew Church
© 2 0 1 9 S P L U N K I N C . What is CVE-2020-1350?
© 2 0 1 9 S P L U N K I N C . “ SIGRed (CVE-2020-1350) is a wormable, critical vulnerability … in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” - Sagi Tzadik, Check Point Research
© 2 0 2 0 S P L U N K I N C . CVE-2020-1350 Bad, real bad. Why? • Quantitative: CVSS 10.0 • Qualitative: affects Domain Name Servers (DNS)… on Windows So what why does Windows matter here? • Every single Active Directory forest is running DNS. • This is a remotely exploitable, non-authenticated exploit against a piece of software running on almost every Domain Controller (DC) in the world AKA SIGRed – Side note, I hate, but appreciate vuln branding
© 2 0 2 0 S P L U N K I N C . Proof Right there on Microsoft’s website https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/creating-a-dns-infrastructure-design
© 2 0 2 0 S P L U N K I N C . (More) Proof Still right there on Microsoft’s website https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/integrating-ad-ds-into-an-existing- dns-infrastructure
© 2 0 1 9 S P L U N K I N C . Yes, almost. Someone took Brad seriously. Almost every DC? https://www.techopedia.com/2/31981/networking/networking- hardware/dismissing-the-myth-that-active-directory-requires- microsoft-dns
© 2 0 1 9 S P L U N K I N C . Digging into Vulnerability Data My favorite subject!
© 2 0 2 0 S P L U N K I N C . Vulnerability Data in Splunk Vulnerability data comes in from a number of different sources, for example: • Tenable Nessus (via tenable.sc/tenable.io. For the DoD folks, this is ACAS) • Qualys VM There’s even a Data Model for it with a catchy name – “Vulnerabilities” • https://docs.splunk.com/Documentation/CIM/4.16.0/User/Vulnerabilities • Two key fields used in the SPL – Vulnerabilties.cve – Vulnerabilities.mskb This is probably one of the most low-volume, high-value & boring data sources out there
© 2 0 2 0 S P L U N K I N C . Vulnerability checking SPL | tstats count from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve=* Vulnerabilities.mskb=* by Vulnerabilities.cve Vulnerabilities.mskb Vulnerabilities.dest | search Vulnerabilities.cve=cve-2020-1350 OR Vulnerabilities.mskb=4565536 OR … | rename Vulnerabilities.dest as Vulnerable_Host Vulnerabilities.cve as CVE Vulnerabilities.mskb as Microsoft_KB | table Vulnerable_Host, CVE, Microsoft_KB None of this is novel or challenging | tstats <stats-func> from datamodel=DATAMODEL.DATASET where DATASET.FIELDNAME = …
© 2 0 1 9 S P L U N K I N C . Detecting Exploitation Attempts Using Splunk Stream and/or Zeek
© 2 0 2 0 S P L U N K I N C . Exploitation looks like… “To summarize, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.” Still using Check Point Research’s material https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a- 17-year-old-bug-in-windows-dns-servers/
© 2 0 2 0 S P L U N K I N C . Splunk Stream Wire data collection and analysis tool, supporting over 30 commercial protocols with detection for 300+ Installed on a span/monitoring port off a switch, off a physical tap, or even used to read, parse, and ingest PCAP captured elsewhere Supports mapping into the Common Information Model (CIM) like all good Apps and TAs do. Great solution for a vast majority of customers that don’t have a purpose-built packet capture architecture and want to get one started quickly What is it?
© 2 0 2 0 S P L U N K I N C . Splunk Stream source = “stream:dns” soucetype = “stream:dns” Stream leverages JSON for the data structure and ingest Pros and Cons of JSON in Splunk • Pros: Very pretty colors, solid automatic field extraction on parent level elements • Cons: Can be very nasty to work with for child elements How do we use it?
© 2 0 2 0 S P L U N K I N C . Splunk Stream Fortunately, the detection is relatively straightforward and has a low false positive rate index=<your_index_here> sourcetype=stream:dns message_type=RESPONSE | spath "query_type{}" | search "query_type{}"=SIG OR "query_type{}"=KEY | spath bytes_out | search bytes_out>=65258 Caveat: Further testing by Shannon Davis showed that we may miss exploit attempts this on a Windows-based Stream deployment. His platform-agnostic detection was added to ESCU via pull request #607: https://github.com/splunk/security-content/pull/607 and is available to all consumers of ESCU content as of five days ago. What about for CVE-2020-1350
© 2 0 2 0 S P L U N K I N C . Zeek Zeek is an IDS-like capability. The Zeek author’s succinctly put it: “Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.” I unashamedly love Zeek. It’s a solution to a number of problems and do it at scale I also love all the people who contribute their Zeek packages, like this one from Corelight https://github.com/corelight/SIGRed Formerly known as Bro
© 2 0 1 9 S P L U N K I N C . Time for a HUGE reminder…
© 2 0 1 9 S P L U N K I N C . Supply Chain Risk Management is not just for hardware, it’s for software too.
© 2 0 2 0 S P L U N K I N C . https://blog.zsec.uk/cve-2020-1350-research/
© 2 0 2 0 S P L U N K I N C . Even professionals get it wrong I am not pointing out VULCAN as being alone here, in fact… I hit up Google for some POC code… Found ZephrFish’s repo, found the code… Almost typed ‘git clone’… And then I opened the src…
© 2 0 2 0 S P L U N K I N C .
© 2 0 2 0 S P L U N K I N C .
© 2 0 2 0 S P L U N K I N C . Zeek Detection Let’s use Corelight’s package…
© 2 0 2 0 S P L U N K I N C . Zeek Detection Looking further down into the Zeek package, you can see Ben Reardon has assigned one of the two types into the ”note” field seen in the Zeek “notice.log” Let’s use Corelight’s package… Yes, that’s a recycled screenshot from my CVE-2020-0601 blog post 🤫
© 2 0 2 0 S P L U N K I N C . Zeek Detection The SPL here is very simple as Corelight has done the work for us and we’re already ingesting Zeek logs • Note: There are two Zeek log formats, Tab Separated Value (TSV, default) and JSON. I use JSON. sourcetype=“bro:notice:json” OR sourcetype=“bro_notice” category=“CVE_2020_1350_*” Apply your table/stats/chart as you wish. Corelight’s Package continued…
© 2 0 2 0 S P L U N K I N C . Zeek Detection Don’t worry, Shannon has you covered, yet again. He authored a Zeek-based detection and included it in the same PR as the Stream detection | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count But that was boring Drew, that’s literally one line of SPL to look at someone else’s alerts!
© 2 0 1 9 S P L U N K I N C . Q&A
Thank You © 2 0 1 9 S P L U N K I N C . Twitter: @drewchurch Email: drewchurch@splunk.com

More Related Content

PPTX
Monitoring End User Experiences with New Relic & Splunk
Abner Germanow
 
PPTX
11 Ways Microservices & Dynamic Clouds Break Your Monitoring
Abner Germanow
 
PDF
New Relic Infrastructure - New Integrations For Smarter and Faster Cloud Adop...
New Relic
 
PPTX
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
PPTX
Technical Webinar with AWS - Everything You Need to Measure in Your Migration
New Relic
 
PPTX
SplunkLive! London 2017 - Splunk Overview
Splunk
 
PPTX
Splunk Discovery Köln - 17-01-2020 - Splunk for ITOps
Splunk
 
PPTX
.conf21 - The Best of
Splunk
 
Monitoring End User Experiences with New Relic & Splunk
Abner Germanow
 
11 Ways Microservices & Dynamic Clouds Break Your Monitoring
Abner Germanow
 
New Relic Infrastructure - New Integrations For Smarter and Faster Cloud Adop...
New Relic
 
Splunk Discovery Köln - 17-01-2020 - Accelerate Incident Response
Splunk
 
Technical Webinar with AWS - Everything You Need to Measure in Your Migration
New Relic
 
SplunkLive! London 2017 - Splunk Overview
Splunk
 
Splunk Discovery Köln - 17-01-2020 - Splunk for ITOps
Splunk
 
.conf21 - The Best of
Splunk
 

What's hot (20)

PPTX
SplunkLive! Overview
Georg Knon
 
PPTX
Wie erkenne ich die Auswirkungen von IT Ausfallen auf meine Produktion?
Splunk
 
PDF
Manufacturing Webinar AMS
Splunk
 
PPTX
Splunk Overview
Splunk
 
PDF
More Than Monitoring: How Observability Takes You From Firefighting to Fire P...
DevOps.com
 
PPTX
Catch these Sessions on-demand at .conf Online
Splunk
 
PPTX
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
PPTX
SplunkLive! London 2016 Splunk for Devops
Splunk
 
PPTX
Machine Data 101: Turning Data Into Insight
Splunk
 
PPTX
Improving end user experiences with New Relic Browser and Synthetics
New Relic
 
PPTX
SplunkLive! Paris 2018: Integrating Metrics and Logs
Splunk
 
PPTX
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
PPTX
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
Splunk
 
PPTX
Best Practices For Sharing Data Across The Enteprrise
Splunk
 
PDF
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk
 
PPTX
Introduction into Security Analytics Methods
Splunk
 
PPTX
SplunkLive! London 2017 - Happy Apps, Happy Users
Splunk
 
PPTX
AWS Loft London: Finding the signal in the noise - Effective SecOps with Soph...
Splunk
 
PPTX
SplunkLive! London 2017 - DevOps Powered by Splunk
Splunk
 
PPTX
Splunk Platform 2020 & Beyond
Splunk
 
SplunkLive! Overview
Georg Knon
 
Wie erkenne ich die Auswirkungen von IT Ausfallen auf meine Produktion?
Splunk
 
Manufacturing Webinar AMS
Splunk
 
Splunk Overview
Splunk
 
More Than Monitoring: How Observability Takes You From Firefighting to Fire P...
DevOps.com
 
Catch these Sessions on-demand at .conf Online
Splunk
 
SplunkLive! London 2017 - Splunk Enterprise for IT Troubleshooting
Splunk
 
SplunkLive! London 2016 Splunk for Devops
Splunk
 
Machine Data 101: Turning Data Into Insight
Splunk
 
Improving end user experiences with New Relic Browser and Synthetics
New Relic
 
SplunkLive! Paris 2018: Integrating Metrics and Logs
Splunk
 
Do You Really Need to Evolve From Monitoring to Observability?
Splunk
 
SplunkLive! Paris 2018: Delivering New Visibility And Analytics For IT Operat...
Splunk
 
Best Practices For Sharing Data Across The Enteprrise
Splunk
 
Splunk Artificial Intelligence & Machine Learning Webinar
Splunk
 
Introduction into Security Analytics Methods
Splunk
 
SplunkLive! London 2017 - Happy Apps, Happy Users
Splunk
 
AWS Loft London: Finding the signal in the noise - Effective SecOps with Soph...
Splunk
 
SplunkLive! London 2017 - DevOps Powered by Splunk
Splunk
 
Splunk Platform 2020 & Beyond
Splunk
 
Ad

Similar to SIGRed - Monitoring and Detecting with Splunk (20)

PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PDF
Needlesand haystacks i360-dublin
Derek King
 
PPTX
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
PPTX
SplunkLive! Splunk for Security
Splunk
 
PPTX
Threat Hunting
Splunk
 
PPTX
Threat Hunting with Splunk
Splunk
 
PPTX
Hands-On Security - Disrupting the Kill Chain
Splunk
 
PDF
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
PPTX
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
PPTX
Splunk for Security - Hands-On
Splunk
 
PPTX
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
PPTX
Splunk for Security Workshop
Splunk
 
PDF
Detection as code splunk user group dec 2020
Ulf Thornander
 
DOCX
Security Hands-On - Splunklive! Houston
Splunk
 
PPTX
Hands-On Security Breakout Session- Disrupting the Kill Chain
Splunk
 
PPTX
Hands-On Security Breakout Session- Disrupting the Kill Chain
Splunk
 
PDF
Conf2014_SplunkSecurityNinjutsu
Splunk
 
PPTX
Splunk Enterpise for Information Security Hands-On
Splunk
 
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Splunk
 
Threat Hunting with Splunk
Splunk
 
Needlesand haystacks i360-dublin
Derek King
 
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
SplunkLive! Splunk for Security
Splunk
 
Threat Hunting
Splunk
 
Threat Hunting with Splunk
Splunk
 
Hands-On Security - Disrupting the Kill Chain
Splunk
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Splunk
 
Splunk for Security - Hands-On
Splunk
 
Security crawl walk run presentation mckay v1 2017
Adam Tice
 
Splunk for Security Workshop
Splunk
 
Detection as code splunk user group dec 2020
Ulf Thornander
 
Security Hands-On - Splunklive! Houston
Splunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Splunk
 
Hands-On Security Breakout Session- Disrupting the Kill Chain
Splunk
 
Conf2014_SplunkSecurityNinjutsu
Splunk
 
Splunk Enterpise for Information Security Hands-On
Splunk
 
Ad

Recently uploaded (20)

PDF
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PPTX
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
PDF
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
PDF
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
PPT
Ethics in Information System - Management Information System
faizhossain3
 
PDF
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PPTX
Digital Literacy And Online Safety on internet
riksa rifqi
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
PDF
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
PPTX
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
PDF
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PDF
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 
Smart Home Technology for Health Monitoring (www.kiu.ac.ug)
publication11
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PptxGenJS_Demo_Chart_20250317130215833.pptx
itruongva
 
Best Practices for Testing and Debugging Shopify Third-Party API Integrations...
CartCoders
 
Slides PDF The World Game (s) Eco Economic Epochs.pdf
Steven McGee
 
Ethics in Information System - Management Information System
faizhossain3
 
SASE Traffic Flow - ZTNA Connector-1.pdf
mackwell7777
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
Digital Literacy And Online Safety on internet
riksa rifqi
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Cloud-Scale Log Monitoring _ Datadog.pdf
MuhammadDhomanhuriMa
 
WebRTC in SignalWire - troubleshooting media negotiation
Giacomo Vacca
 
newyork.pptxirantrafgshenepalchinachinane
PrashantKoirala12
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
FINAL CALL-6th International Conference on Networks & IOT (NeTIOT 2025)
IJMIT JOURNAL
 
The New Creative Director: How AI Tools for Social Media Content Creation Are...
SageTitans
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
Unit-1 introduction to cyber security discuss about how to secure a system
shivangisharma636228
 

SIGRed - Monitoring and Detecting with Splunk

  • 1. © 2 0 2 0 S P L U N K I N C . CVE-2020-1350 / SIGRed Detection, Tips & Tricks, Bad Jokes Drew Church, Sr. Cybersecurity Advisor 2020-08-13
  • 2. © 2 0 2 0 S P L U N K I N C . Agenda Introductions Overview of CVE-2020-1350/SIGRed Vulnerability Data Detecting Exploitation Attempts Q&A
  • 3. During the course of this presentation, we may make forward-looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved. Forward- Looking Statements © 2 0 2 0 S P L U N K I N C .
  • 4. © 2 0 2 0 S P L U N K I N C . #whoami Splunker Since August 2019 ~10 Years working for/with DoD • CyberOps Mgr, RMF SCA/Validator • FLTCYBERCOM Action Officer • Vuln. Mgmt, System Admin, AppDev US Navy Reservist, 1825, ENS (O-1) Drew Church
  • 5. © 2 0 1 9 S P L U N K I N C . What is CVE-2020-1350?
  • 6. © 2 0 1 9 S P L U N K I N C . “ SIGRed (CVE-2020-1350) is a wormable, critical vulnerability … in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” - Sagi Tzadik, Check Point Research
  • 7. © 2 0 2 0 S P L U N K I N C . CVE-2020-1350 Bad, real bad. Why? • Quantitative: CVSS 10.0 • Qualitative: affects Domain Name Servers (DNS)… on Windows So what why does Windows matter here? • Every single Active Directory forest is running DNS. • This is a remotely exploitable, non-authenticated exploit against a piece of software running on almost every Domain Controller (DC) in the world AKA SIGRed – Side note, I hate, but appreciate vuln branding
  • 8. © 2 0 2 0 S P L U N K I N C . Proof Right there on Microsoft’s website https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/creating-a-dns-infrastructure-design
  • 9. © 2 0 2 0 S P L U N K I N C . (More) Proof Still right there on Microsoft’s website https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/integrating-ad-ds-into-an-existing- dns-infrastructure
  • 10. © 2 0 1 9 S P L U N K I N C . Yes, almost. Someone took Brad seriously. Almost every DC? https://www.techopedia.com/2/31981/networking/networking- hardware/dismissing-the-myth-that-active-directory-requires- microsoft-dns
  • 11. © 2 0 1 9 S P L U N K I N C . Digging into Vulnerability Data My favorite subject!
  • 12. © 2 0 2 0 S P L U N K I N C . Vulnerability Data in Splunk Vulnerability data comes in from a number of different sources, for example: • Tenable Nessus (via tenable.sc/tenable.io. For the DoD folks, this is ACAS) • Qualys VM There’s even a Data Model for it with a catchy name – “Vulnerabilities” • https://docs.splunk.com/Documentation/CIM/4.16.0/User/Vulnerabilities • Two key fields used in the SPL – Vulnerabilties.cve – Vulnerabilities.mskb This is probably one of the most low-volume, high-value & boring data sources out there
  • 13. © 2 0 2 0 S P L U N K I N C . Vulnerability checking SPL | tstats count from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve=* Vulnerabilities.mskb=* by Vulnerabilities.cve Vulnerabilities.mskb Vulnerabilities.dest | search Vulnerabilities.cve=cve-2020-1350 OR Vulnerabilities.mskb=4565536 OR … | rename Vulnerabilities.dest as Vulnerable_Host Vulnerabilities.cve as CVE Vulnerabilities.mskb as Microsoft_KB | table Vulnerable_Host, CVE, Microsoft_KB None of this is novel or challenging | tstats <stats-func> from datamodel=DATAMODEL.DATASET where DATASET.FIELDNAME = …
  • 14. © 2 0 1 9 S P L U N K I N C . Detecting Exploitation Attempts Using Splunk Stream and/or Zeek
  • 15. © 2 0 2 0 S P L U N K I N C . Exploitation looks like… “To summarize, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.” Still using Check Point Research’s material https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a- 17-year-old-bug-in-windows-dns-servers/
  • 16. © 2 0 2 0 S P L U N K I N C . Splunk Stream Wire data collection and analysis tool, supporting over 30 commercial protocols with detection for 300+ Installed on a span/monitoring port off a switch, off a physical tap, or even used to read, parse, and ingest PCAP captured elsewhere Supports mapping into the Common Information Model (CIM) like all good Apps and TAs do. Great solution for a vast majority of customers that don’t have a purpose-built packet capture architecture and want to get one started quickly What is it?
  • 17. © 2 0 2 0 S P L U N K I N C . Splunk Stream source = “stream:dns” soucetype = “stream:dns” Stream leverages JSON for the data structure and ingest Pros and Cons of JSON in Splunk • Pros: Very pretty colors, solid automatic field extraction on parent level elements • Cons: Can be very nasty to work with for child elements How do we use it?
  • 18. © 2 0 2 0 S P L U N K I N C . Splunk Stream Fortunately, the detection is relatively straightforward and has a low false positive rate index=<your_index_here> sourcetype=stream:dns message_type=RESPONSE | spath "query_type{}" | search "query_type{}"=SIG OR "query_type{}"=KEY | spath bytes_out | search bytes_out>=65258 Caveat: Further testing by Shannon Davis showed that we may miss exploit attempts this on a Windows-based Stream deployment. His platform-agnostic detection was added to ESCU via pull request #607: https://github.com/splunk/security-content/pull/607 and is available to all consumers of ESCU content as of five days ago. What about for CVE-2020-1350
  • 19. © 2 0 2 0 S P L U N K I N C . Zeek Zeek is an IDS-like capability. The Zeek author’s succinctly put it: “Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.” I unashamedly love Zeek. It’s a solution to a number of problems and do it at scale I also love all the people who contribute their Zeek packages, like this one from Corelight https://github.com/corelight/SIGRed Formerly known as Bro
  • 20. © 2 0 1 9 S P L U N K I N C . Time for a HUGE reminder…
  • 21. © 2 0 1 9 S P L U N K I N C . Supply Chain Risk Management is not just for hardware, it’s for software too.
  • 22. © 2 0 2 0 S P L U N K I N C . https://blog.zsec.uk/cve-2020-1350-research/
  • 23. © 2 0 2 0 S P L U N K I N C . Even professionals get it wrong I am not pointing out VULCAN as being alone here, in fact… I hit up Google for some POC code… Found ZephrFish’s repo, found the code… Almost typed ‘git clone’… And then I opened the src…
  • 24. © 2 0 2 0 S P L U N K I N C .
  • 25. © 2 0 2 0 S P L U N K I N C .
  • 26. © 2 0 2 0 S P L U N K I N C . Zeek Detection Let’s use Corelight’s package…
  • 27. © 2 0 2 0 S P L U N K I N C . Zeek Detection Looking further down into the Zeek package, you can see Ben Reardon has assigned one of the two types into the ”note” field seen in the Zeek “notice.log” Let’s use Corelight’s package… Yes, that’s a recycled screenshot from my CVE-2020-0601 blog post 🤫
  • 28. © 2 0 2 0 S P L U N K I N C . Zeek Detection The SPL here is very simple as Corelight has done the work for us and we’re already ingesting Zeek logs • Note: There are two Zeek log formats, Tab Separated Value (TSV, default) and JSON. I use JSON. sourcetype=“bro:notice:json” OR sourcetype=“bro_notice” category=“CVE_2020_1350_*” Apply your table/stats/chart as you wish. Corelight’s Package continued…
  • 29. © 2 0 2 0 S P L U N K I N C . Zeek Detection Don’t worry, Shannon has you covered, yet again. He authored a Zeek-based detection and included it in the same PR as the Stream detection | tstats `security_content_summariesonly` count from datamodel=Network_Resolution where DNS.query_type IN (SIG,KEY) by DNS.flow_id | rename DNS.flow_id as flow_id | append [| tstats `security_content_summariesonly` count from datamodel=Network_Traffic where All_Traffic.bytes_in>65000 by All_Traffic.flow_id | rename All_Traffic.flow_id as flow_id] | `detect_windows_dns_sigred_via_zeek_filter` | stats count by flow_id | where count>1 | fields - count But that was boring Drew, that’s literally one line of SPL to look at someone else’s alerts!
  • 30. © 2 0 1 9 S P L U N K I N C . Q&A
  • 31. Thank You © 2 0 1 9 S P L U N K I N C . Twitter: @drewchurch Email: drewchurch@splunk.com