Detectionhightest

Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim Rauch, Elastic SecurityCreated Tue Sep 27Updated Wed Feb 158f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0windows

Log Source

WindowsFile Delete

ProductWindows← raw: windows

CategoryFile Delete← raw: file_delete

Detection Logic

detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

elastic.co

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0001 · Initial Access

Techniques

T1133 · External Remote Services

Related Rules

SimilarDetectionhigh

Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0

Status

test

Level

high

Type

Detection

Created

Tue Sep 27

Modified

Wed Feb 15

Author

Tim Rauch, Elastic Security

Path

rules/windows/file/file_delete/file_delete_win_unusual_deletion_by_dns_exe.yml

Raw Tags

attack.persistenceattack.initial-accessattack.t1133

View on GitHub