Unusual File Modification by dns.exe

Oct 23, 2025 · attack.persistence attack.initial-access attack.t1133 ·

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Sigma rule (View on GitHub)

 1title: Unusual File Modification by dns.exe
 2id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
 3related:
 4    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
 5      type: similar
 6status: test
 7description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 8references:
 9    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
10author: Tim Rauch (Nextron Systems), Elastic (idea)
11date: 2022-09-27
12tags:
13    - attack.persistence
14    - attack.initial-access
15    - attack.t1133
16logsource:
17    category: file_change
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\dns.exe'
22    filter:
23        TargetFilename|endswith: '\dns.log'
24    condition: selection and not filter
25falsepositives:
26    - Unknown
27level: high

References

https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html

Read More

Unusual File Modification by dns.exe

Sigma rule (View on GitHub)

References

https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html

Related rules