Detectionhightest

Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Tim Rauch, Elastic SecurityCreated Tue Sep 279f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3windows

Log Source

WindowsFile Change

ProductWindows← raw: windows

CategoryFile Change← raw: file_change

Detection Logic

detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

elastic.co

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0001 · Initial Access

Techniques

T1133 · External Remote Services

Related Rules

SimilarDetectionhigh

Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3

Status

test

Level

high

Type

Detection

Created

Tue Sep 27

Author

Tim Rauch, Elastic Security

Path

rules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml

Raw Tags

attack.persistenceattack.initial-accessattack.t1133

View on GitHub