Detect Windows DNS Sigred Via Splunk Stream
This search detects SIGRed via Splunk Stream.
Detect Windows DNS Sigred Via Splunk Stream Help
You must be ingesting Splunk Stream DNS and Splunk Stream TCP. We are detecting SIG and KEY records via stream:dns and TCP payload over 65KB in size via stream:tcp. Replace the macro definitions ('stream:dns' and 'stream:tcp') with configurations for your Splunk environment.
Open in Search