Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Sigma rule (View on GitHub)

 1title: Unusual File Modification by dns.exe
 2id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
 3related:
 4    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
 5      type: similar
 6status: test
 7description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 8references:
 9    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
10author: Tim Rauch (Nextron Systems), Elastic (idea)
11date: 2022/09/27
12tags:
13    - attack.initial_access
14    - attack.t1133
15logsource:
16    category: file_change
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\dns.exe'
21    filter:
22        TargetFilename|endswith: '\dns.log'
23    condition: selection and not filter
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top