Unusual Child Process of dns.exe

Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Sigma rule (View on GitHub)

 1title: Unusual Child Process of dns.exe
 2id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
 3status: test
 4description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
 5references:
 6    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
 7author: Tim Rauch, Elastic (idea)
 8date: 2022-09-27
 9modified: 2023-02-05
10tags:
11    - attack.initial-access
12    - attack.t1133
13logsource:
14    category: process_creation
15    product: windows
16detection:
17    selection:
18        ParentImage|endswith: '\dns.exe'
19    filter:
20        Image|endswith: '\conhost.exe'
21    condition: selection and not filter
22falsepositives:
23    - Unknown
24level: high

References

Related rules

to-top