Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Sigma rule (View on GitHub)
1title: Unusual Child Process of dns.exe
2id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
3status: test
4description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
5references:
6 - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
7author: Tim Rauch, Elastic (idea)
8date: 2022-09-27
9modified: 2023-02-05
10tags:
11 - attack.initial-access
12 - attack.t1133
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\dns.exe'
19 filter:
20 Image|endswith: '\conhost.exe'
21 condition: selection and not filter
22falsepositives:
23 - Unknown
24level: high
References
-
Unusual Child Process of dns.exe edit Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote ...
Read More
Related rules
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt