Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Sigma rule (View on GitHub)
1title: Unusual Child Process of dns.exe
2id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
3status: test
4description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
5references:
6 - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
7author: Tim Rauch, Elastic (idea)
8date: 2022-09-27
9modified: 2023-02-05
10tags:
11 - attack.persistence
12 - attack.initial-access
13 - attack.t1133
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\dns.exe'
20 filter:
21 Image|endswith: '\conhost.exe'
22 condition: selection and not filter
23falsepositives:
24 - Unknown
25level: high
References
-
Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to...
Read More
Related rules
- External Remote RDP Logon from Public IP
- External Remote SMB Logon from Public IP
- Failed Logon From Public IP
- OpenCanary - SSH Login Attempt
- OpenCanary - SSH New Connection Attempt