Elastic is releasing a threat hunting package designed to aid defenders with proactive detection queries to identify actor-agnostic intrusions.

Why Threat Hunting?

What We Are Providing

Hunting Package

Benefits of these Hunt Queries

Details of Each Hunting Analytic

Hunting Query Creation Example:

How We Plan to Expand

Get Involved

Conclusion

Elevate Your Threat Hunting with Elastic

The SIGRed vulnerability impacts all systems leveraging the Windows DNS server service (Windows 2003+). To defend your environment, we recommend implementing the detection logic included in this blog post using technology like Elastic Security.

Executive summary

Summary

Timeline of events

Impact

Tactics

Techniques

Detection

Detection logic

Unusual child of dns.exe - Kibana Query Language (KQL)

Unusual file operations of dns.exe (KQL)

Network (Packetbeat and Filebeat with the Zeek or Suricata modules)

Defensive recommendations

References

Detection rules for SIGRed vulnerability

Author

Justin Ibarra

Articles

Elevate Your Threat Hunting with Elastic

Detection rules for SIGRed vulnerability