Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Sigma rule (View on GitHub)

 1title: Unusual File Deletion by Dns.exe
 2id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
 3related:
 4    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
 5      type: similar
 6status: test
 7description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 8references:
 9    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns.exe.html
10author: Tim Rauch (Nextron Systems), Elastic (idea)
11date: 2022/09/27
12modified: 2023/02/15
13tags:
14    - attack.initial_access
15    - attack.t1133
16logsource:
17    category: file_delete
18    product: windows
19detection:
20    selection:
21        Image|endswith: '\dns.exe'
22    filter:
23        TargetFilename|endswith: '\dns.log'
24    condition: selection and not filter
25falsepositives:
26    - Unknown
27level: high

References

Related rules

to-top