ATTACK [PTsecurity] Windows Server DNS RCE aka SIGRed (CVE-2020-1350) - Query response - Suricata Rule 10005977 (ptrules/open)

ATTACK [PTsecurity] Windows Server DNS RCE aka SIGRed (CVE-2020-1350) - Query response

SID: 10005977Rev: 231 viewsHistory

Sourceptrules/open

CreatedJuly 24, 2025

UpdatedJuly 24, 2025

Classificationattempted-admin

alert tcp any 53 -> any any (msg:"ATTACK [PTsecurity] Windows Server DNS RCE aka SIGRed (CVE-2020-1350) - Query response"; flow:established, from_server; content:"|FF|"; depth:1; content:"|00 00 18 00 01 C0|"; within:100; content:"|00 18 00 01|"; distance:1; within:4; content:"|FF|"; distance:4; within:1; reference:url, research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers; reference:cve, 2020-1350; reference:url, rules.ptsecurity.com; classtype:attempted-admin; sid:10005977; rev:2;)

References

url	research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers
cve	2020-1350
url	rules.ptsecurity.com

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!