Anyone have a Signal rule to detect CVE-2020-1350 yet?

I'm wondering if packetbeat / auditbeat can be used to detect CVE-2020-1350 - some of the queries are documented at


Based on the findings I've read you could use Packetbeat data, querying for responses to DNS servers in your environment that are over 65280 (0xFF00) bytes (based on the MS mitigation steps), or alternatively using Machine Learning to alert on anomalously large responses to your DNS servers.

Without actually running and tracking the results of the attack (and not really being a good enough programmer to make a useful educated guess) I'm not sure how effective the Auditbeat angle would be, tho the packaged rare processes jobs should be effective, they may need tuning (e.g. to limit to dns servers specifically).

You could also use netflow data, firewall traffic logs, or network sensors to alert on large DNS packets (and if they are all in ECS format 1 rule / ML job could cover them all)

Dain Perkins
SA @ Elastic

@hilt86 PR is up in the detection rules repo: