← Library
kqlElastic-2.0from elastic/detection-rules

Unusual File Operation by dns.exe

Quality
92
FP risk
Forks
0
Views
0
ATT&CK techniques
T1210T1190
Rule sourcerules/windows/lateral_movement_unusual_dns_service_file_writes.toml
event.category : "file" and host.os.type : "windows" and
  event.type : ("creation" or "deletion" or "change") and process.name : "dns.exe" and
  not file.extension : ("old" or "temp" or "bak" or "dns" or "arpa" or "log")
Unusual File Operation by dns.exe · KQL rule | DetectionLint