Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Unusual Child Process of dns.exe

Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Tim Rauch, Elastic SecurityCreated Tue Sep 27Updated Sun Feb 05a4e3d776-f12e-42c2-8510-9e6ed1f43ec3windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        ParentImage|endswith: '\dns.exe'
    filter:
        Image|endswith: '\conhost.exe'
    condition: selection and not filter
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
elastic.co
MITRE ATT&CK
Rule Metadata
Rule ID
a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
Status
test
Level
high
Type
Detection
Created
Tue Sep 27
Modified
Sun Feb 05
Author
Tim Rauch, Elastic Security
Path
rules/windows/process_creation/proc_creation_win_dns_susp_child_process.yml
Raw Tags
attack.persistenceattack.initial-accessattack.t1133
View on GitHub