DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
Sigma rule (View on GitHub)
1title: DNS RCE CVE-2020-1350
2id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
3status: test
4description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
5references:
6 - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
7 - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
8author: Florian Roth (Nextron Systems)
9date: 2020/07/15
10modified: 2022/07/12
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - attack.execution
15 - attack.t1569.002
16 - cve.2020.1350
17 - detection.emerging_threats
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 selection:
23 ParentImage|endswith: '\System32\dns.exe'
24 filter:
25 Image|endswith:
26 - '\System32\werfault.exe'
27 - '\System32\conhost.exe'
28 - '\System32\dnscmd.exe'
29 - '\System32\dns.exe'
30 condition: selection and not filter
31falsepositives:
32 - Unknown but benign sub processes of the Windows DNS service dns.exe
33level: critical
References
-
Research by: Sagi Tzadik Introduction DNS, which is often described as the “phonebook of the internet”, is a network protocol for translating human-friendly computer hostnames into IP addresses. Because it is such a core component of the internet, there are many solutions and implementations of DNS servers out there, but only a few are extensively […]
Read More
Related rules
- Exploited CVE-2020-10189 Zoho ManageEngine
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt