Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Sigma rule (View on GitHub)
1title: Unusual File Deletion by Dns.exe
2id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
3related:
4 - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
5 type: similar
6status: test
7description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
8references:
9 - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
10author: Tim Rauch (Nextron Systems), Elastic (idea)
11date: 2022-09-27
12modified: 2023-02-15
13tags:
14 - attack.initial-access
15 - attack.t1133
16logsource:
17 category: file_delete
18 product: windows
19detection:
20 selection:
21 Image|endswith: '\dns.exe'
22 filter:
23 TargetFilename|endswith: '\dns.log'
24 condition: selection and not filter
25falsepositives:
26 - Unknown
27level: high
References
-
Unusual File Modification by dns.exe edit Identifies an unexpected file being modified by dns.exe, the process responsible for Windows DNS Server services, which may indicate activity related to re...
Read More
Related rules
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt