DNS RCE CVE-2020-1350

calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.execution attack.t1569.002 cve.2020-1350 detection.emerging-threats  ·
Share on: linkedin copy

Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process

Sigma rule (View on GitHub)

 1title: DNS RCE CVE-2020-1350
 2id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
 3status: test
 4description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
 5references:
 6    - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
 7    - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
 8author: Florian Roth (Nextron Systems)
 9date: 2020-07-15
10modified: 2022-07-12
11tags:
12    - attack.initial-access
13    - attack.t1190
14    - attack.execution
15    - attack.t1569.002
16    - cve.2020-1350
17    - detection.emerging-threats
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection:
23        ParentImage|endswith: '\System32\dns.exe'
24    filter:
25        Image|endswith:
26            - '\System32\werfault.exe'
27            - '\System32\conhost.exe'
28            - '\System32\dnscmd.exe'
29            - '\System32\dns.exe'
30    condition: selection and not filter
31falsepositives:
32    - Unknown but benign sub processes of the Windows DNS service dns.exe
33level: critical

References

Related rules

to-top