Unusual File Modification by dns.exe

calendar Mar 26, 2025 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Lateral Movement Data Source: Elastic Endgame Use Case: Vulnerability Data Source: Elastic Defend Data Source: Sysmon Resources: Investigation Guide  ·
Share on: linkedin copy

Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to remote code execution or other forms of exploitation.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/07/16"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2025/03/20"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which
11may indicate activity related to remote code execution or other forms of exploitation.
12"""
13from = "now-9m"
14index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Unusual File Modification by dns.exe"
18note = """## Triage and analysis
19
20### Investigating Unusual File Modification by dns.exe
21Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (`dns.exe`) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:
22- Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.
23- Any suspicious or abnormal files written from `dns.exe` should be reviewed and investigated with care.
24"""
25references = [
26    "https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/",
27    "https://msrc-blog.microsoft.com/2020/07/14/july-2020-security-update-cve-2020-1350-vulnerability-in-windows-domain-name-system-dns-server/",
28    "https://www.elastic.co/security-labs/detection-rules-for-sigred-vulnerability",
29]
30risk_score = 73
31rule_id = "c7ce36c0-32ff-4f9a-bfc2-dcb242bf99f9"
32severity = "high"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Lateral Movement",
38    "Data Source: Elastic Endgame",
39    "Use Case: Vulnerability",
40    "Data Source: Elastic Defend",
41    "Data Source: Sysmon",
42    "Resources: Investigation Guide",
43]
44timestamp_override = "event.ingested"
45type = "eql"
46
47query = '''
48file where host.os.type == "windows" and process.name : "dns.exe" and event.type in ("creation", "deletion", "change") and
49  not file.name : "dns.log" and not
50  (file.extension : ("old", "temp", "bak", "dns", "arpa") and file.path : "C:\\Windows\\System32\\dns\\*") and
51
52  /* DNS logs with custom names, header converts to "DNS Server log" */
53  not ?file.Ext.header_bytes : "444e5320536572766572206c6f67*"
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1210"
61name = "Exploitation of Remote Services"
62reference = "https://attack.mitre.org/techniques/T1210/"
63
64
65[rule.threat.tactic]
66id = "TA0008"
67name = "Lateral Movement"
68reference = "https://attack.mitre.org/tactics/TA0008/"
...
toml

Detection alerts from this rule indicate potential unusual/abnormal file writes from the DNS Server service process (dns.exe) after exploitation from CVE-2020-1350 (SigRed) has occurred. Here are some possible avenues of investigation:

  • Post-exploitation, adversaries may write additional files or payloads to the system as additional discovery/exploitation/persistence mechanisms.
  • Any suspicious or abnormal files written from dns.exe should be reviewed and investigated with care.

References

Related rules

to-top