SIGRed - Monitoring and Detecting with Splunk

Information about SIGRed - Monitoring and Detecting with Splunk

Published on August 26, 2020

Author: AnthonyReinke

Source: slideshare.net

Content

1. © 2 0 2 0 S P L U N K I N C . CVE-2020-1350 / SIGRed Detection, Tips & Tricks, Bad Jokes Drew Church, Sr. Cybersecurity Advisor 2020-08-13

2. © 2 0 2 0 S P L U N K I N C . Agenda Introductions Overview of CVE-2020-1350/SIGRed Vulnerability Data Detecting Exploitation Attempts Q&A

3. During the course of this presentation, we may make forward-looking statements regarding future events or plans of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results may differ materially. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, it may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements made herein. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only, and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionalities described or to include any such feature or functionality in a future release. Splunk, Splunk>, Turn Data Into Doing, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2020 Splunk Inc. All rights reserved. Forward- Looking Statements © 2 0 2 0 S P L U N K I N C .

4. © 2 0 2 0 S P L U N K I N C . #whoami Splunker Since August 2019 ~10 Years working for/with DoD • CyberOps Mgr, RMF SCA/Validator • FLTCYBERCOM Action Officer • Vuln. Mgmt, System Admin, AppDev US Navy Reservist, 1825, ENS (O-1) Drew Church

5. © 2 0 1 9 S P L U N K I N C . What is CVE-2020-1350?

6. © 2 0 1 9 S P L U N K I N C . “ SIGRed (CVE-2020-1350) is a wormable, critical vulnerability … in the Windows DNS server that affects Windows Server versions 2003 to 2019, and can be triggered by a malicious DNS response. As the service is running in elevated privileges (SYSTEM), if exploited successfully, an attacker is granted Domain Administrator rights, effectively compromising the entire corporate infrastructure.” - Sagi Tzadik, Check Point Research

7. © 2 0 2 0 S P L U N K I N C . CVE-2020-1350 Bad, real bad. Why? • Quantitative: CVSS 10.0 • Qualitative: affects Domain Name Servers (DNS)… on Windows So what why does Windows matter here? • Every single Active Directory forest is running DNS. • This is a remotely exploitable, non-authenticated exploit against a piece of software running on almost every Domain Controller (DC) in the world AKA SIGRed – Side note, I hate, but appreciate vuln branding

8. © 2 0 2 0 S P L U N K I N C . Proof Right there on Microsoft’s website https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/creating-a-dns-infrastructure-design

9. © 2 0 2 0 S P L U N K I N C . (More) Proof Still right there on Microsoft’s website https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/integrating-ad-ds-into-an-existing- dns-infrastructure

10. © 2 0 1 9 S P L U N K I N C . Yes, almost. Someone took Brad seriously. Almost every DC? https://www.techopedia.com/2/31981/networking/networking- hardware/dismissing-the-myth-that-active-directory-requires- microsoft-dns

11. © 2 0 1 9 S P L U N K I N C . Digging into Vulnerability Data My favorite subject!

12. © 2 0 2 0 S P L U N K I N C . Vulnerability Data in Splunk Vulnerability data comes in from a number of different sources, for example: • Tenable Nessus (via tenable.sc/tenable.io. For the DoD folks, this is ACAS) • Qualys VM There’s even a Data Model for it with a catchy name – “Vulnerabilities” • https://docs.splunk.com/Documentation/CIM/4.16.0/User/Vulnerabilities • Two key fields used in the SPL – Vulnerabilties.cve – Vulnerabilities.mskb This is probably one of the most low-volume, high-value & boring data sources out there

13. © 2 0 2 0 S P L U N K I N C . Vulnerability checking SPL | tstats count from datamodel=Vulnerabilities.Vulnerabilities where Vulnerabilities.cve=* Vulnerabilities.mskb=* by Vulnerabilities.cve Vulnerabilities.mskb Vulnerabilities.dest | search Vulnerabilities.cve=cve-2020-1350 OR Vulnerabilities.mskb=4565536 OR … | rename Vulnerabilities.dest as Vulnerable_Host Vulnerabilities.cve as CVE Vulnerabilities.mskb as Microsoft_KB | table Vulnerable_Host, CVE, Microsoft_KB None of this is novel or challenging | tstats <stats-func> from datamodel=DATAMODEL.DATASET where DATASET.FIELDNAME = …

14. © 2 0 1 9 S P L U N K I N C . Detecting Exploitation Attempts Using Splunk Stream and/or Zeek

15. © 2 0 2 0 S P L U N K I N C . Exploitation looks like… “To summarize, by sending a DNS response that contains a large (bigger than 64KB) SIG record, we can cause a controlled heap-based buffer overflow of roughly 64KB over a small allocated buffer.” Still using Check Point Research’s material https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a- 17-year-old-bug-in-windows-dns-servers/

16. © 2 0 2 0 S P L U N K I N C . Splunk Stream Wire data collection and analysis tool, supporting over 30 commercial protocols with detection for 300+ Installed on a span/monitoring port off a switch, off a physical tap, or even used to read, parse, and ingest PCAP captured elsewhere Supports mapping into the Common Information Model (CIM) like all good Apps and TAs do. Great solution for a vast majority of customers that don’t have a purpose-built packet capture architecture and want to get one started quickly What is it?

17. © 2 0 2 0 S P L U N K I N C . Splunk Stream source = “stream:dns” soucetype = “stream:dns” Stream leverages JSON for the data structure and ingest Pros and Cons of JSON in Splunk • Pros: Very pretty colors, solid automatic field extraction on parent level elements • Cons: Can be very nasty to work with for child elements How do we use it?

18. © 2 0 2 0 S P L U N K I N C . Splunk Stream Fortunately, the detection is relatively straightforward and has a low false positive rate index=<your_index_here> sourcetype=stream:dns message_type=RESPONSE | spath "query_type{}" | search "query_type{}"=SIG OR "query_type{}"=KEY | spath bytes_out | search bytes_out>=65258 Caveat: Further testing by Shannon Davis showed that we may miss exploit attempts this on a Windows-based Stream deployment. His platform-agnostic detection was added to ESCU via pull request #607: https://github.com/splunk/security-content/pull/607 and is available to all consumers of ESCU content as of five days ago. What about for CVE-2020-1350

19. © 2 0 2 0 S P L U N K I N C . Zeek Zeek is an IDS-like capability. The Zeek author’s succinctly put it: “Zeek sits on a “sensor,” a hardware, software, virtual, or cloud platform that quietly and unobtrusively observes network traffic. Zeek interprets what it sees and creates compact, high-fidelity transaction logs, file content, and fully customized output, suitable for manual review on disk or in a more analyst-friendly tool like a security and information event management (SIEM) system.” I unashamedly love Zeek. It’s a solution to a number of problems and do it at scale I also love all the people who contribute their Zeek packages, like this one from Corelight https://github.com/corelight/SIGRed Formerly known as Bro

20. © 2 0 1 9 S P L U N K I N C . Time for a HUGE reminder…

21. © 2 0 1 9 S P L U N K I N C . Supply Chain Risk Management is not just for hardware, it’s for software too.

22. © 2 0 2 0 S P L U N K I N C . https://blog.zsec.uk/cve-2020-1350-research/

23. © 2 0 2 0 S P L U N K I N C . Even professionals get it wrong I am not pointing out VULCAN as being alone here, in fact… I hit up Google for some POC code… Found ZephrFish’s repo, found the code… Almost typed ‘git clone’… And then I opened the src…

24. © 2 0 2 0 S P L U N K I N C .

25. © 2 0 2 0 S P L U N K I N C .

26. © 2 0 2 0 S P L U N K I N C . Zeek Detection Let’s use Corelight’s package…

27. © 2 0 2 0 S P L U N K I N C . Zeek Detection Looking further down into the Zeek package, you can see Ben Reardon has assigned one of the two types into the ”note” field seen in the Zeek “notice.log” Let’s use Corelight’s package… Yes, that’s a recycled screenshot from my CVE-2020-0601 blog post

#whoami presentations

Zer 0 no zer(0 day)   dragon jar
25. 09. 2020
0 views

Zer 0 no zer(0 day) dragon jar

Related presentations


Other presentations created by AnthonyReinke

Splunk Connected Experiences
24. 05. 2019
0 views

Splunk Connected Experiences