Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
Sigma rule (View on GitHub)
1title: Unusual Child Process of dns.exe
2id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
3status: test
4description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
5references:
6 - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
7author: Tim Rauch, Elastic (idea)
8date: 2022/09/27
9modified: 2023/02/05
10tags:
11 - attack.initial_access
12 - attack.t1133
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\dns.exe'
19 filter:
20 Image|endswith: '\conhost.exe'
21 condition: selection and not filter
22falsepositives:
23 - Unknown
24level: high
References
-
Unusual Child Process of dns.exeedit Identifies an unexpected process spawning from dns.exe, the process responsible for Windows DNS server services, which may indicate activity related to remote c...
Read More
Related rules
- Unusual File Deletion by Dns.exe
- Unusual File Modification by dns.exe
- Remote Access Tool - Team Viewer Session Started On Linux Host
- Remote Access Tool - Team Viewer Session Started On MacOS Host
- Remote Access Tool - Team Viewer Session Started On Windows Host