Unusual File Operation by dns.exe
Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/16"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2025/09/11"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which
11may indicate activity related to remote code execution or other forms of exploitation.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "kuery"
16license = "Elastic License v2"
17name = "Unusual File Operation by dns.exe"
18references = [
19 "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
20 "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
21 "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability",
22]
23risk_score = 47
24rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
25severity = "medium"
26tags = [
27 "Domain: Endpoint",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Lateral Movement",
31 "Data Source: Elastic Endgame",
32 "Use Case: Vulnerability",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon",
35]
36timestamp_override = "event.ingested"
37type = "new_terms"
38
39query = '''
40event.category : "file" and host.os.type : "windows" and
41 event.type : ("creation" or "deletion" or "change") and process.name : "dns.exe" and
42 not file.extension : ("old" or "temp" or "bak" or "dns" or "arpa" or "log")
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1210"
50name = "Exploitation of Remote Services"
51reference = "https://attack.mitre.org/techniques/T1210/"
52
53
54[rule.threat.tactic]
55id = "TA0008"
56name = "Lateral Movement"
57reference = "https://attack.mitre.org/tactics/TA0008/"
58
59
60[rule.new_terms]
61field = "new_terms_fields"
62value = ["file.path", "host.id"]
63[[rule.new_terms.history_window_start]]
64field = "history_window_start"
65value = "now-7d"
References
-
Research by: Sagi Tzadik Introduction DNS, which is often described as the “phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses. Because it is such a core component of the internet, there are many solutions and implementations of DNS servers out there, but only a few are extensively […]
Read More -
The SIGRed vulnerability impacts all systems leveraging the Windows DNS server service (Windows 2003+). To defend your environment, we recommend implementing the detection logic included in this blog post using technology like Elastic Security.
Read More
Related rules
- Unusual Child Process of dns.exe
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files
- Potential Remote Desktop Shadowing Activity
- Suspicious Print Spooler Point and Print DLL