Unusual File Deletion by Dns.exe

Oct 23, 2025 · attack.persistence attack.initial-access attack.t1133 ·

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Sigma rule (View on GitHub)

 1title: Unusual File Deletion by Dns.exe
 2id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
 3related:
 4    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
 5      type: similar
 6status: test
 7description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 8references:
 9    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
10author: Tim Rauch (Nextron Systems), Elastic (idea)
11date: 2022-09-27
12modified: 2023-02-15
13tags:
14    - attack.persistence
15    - attack.initial-access
16    - attack.t1133
17logsource:
18    category: file_delete
19    product: windows
20detection:
21    selection:
22        Image|endswith: '\dns.exe'
23    filter:
24        TargetFilename|endswith: '\dns.log'
25    condition: selection and not filter
26falsepositives:
27    - Unknown
28level: high

References

Unusual File Operation by dns.exe | Prebuilt detection rules reference

Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related...

Read More

Unusual File Deletion by Dns.exe

Sigma rule (View on GitHub)

References

Unusual File Operation by dns.exe | Prebuilt detection rules reference

Related rules