This detection rule identifies attempts to exploit the SIGRed vulnerability (CVE-2020-1350) within Windows DNS servers using Splunk Stream analytics. The rule operates by examining Splunk Stream's DNS and TCP data for anomalies, particularly focusing on DNS SIG and KEY records alongside TCP payloads that exceed 65KB in size. SIGRed is a critical wormable vulnerability that can be exploited to achieve remote code execution, potentially allowing attackers to gain unauthorized system access, execute arbitrary code, and disrupt services. Given the severity of this vulnerability, detecting such anomalies is essential for early intervention to prevent data breaches and infrastructure compromise. The rule requires the ingestion of specific Splunk Stream data and utilizes a combination of search commands to track the relevant network activity associated with this CVE, ensuring thorough monitoring and alerting on potential exploitation attempts.