← Library
sigmaDRL-1.1from SigmaHQ/sigma

Unusual File Modification by dns.exe

Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

Quality
96
FP risk
Forks
0
Views
0
ATT&CK techniques
T1133
Rule sourcerules/windows/file/file_change/file_change_win_unusual_modification_by_dns_exe.yml
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
      type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_change
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Unusual File Modification by dns.exe · SIGMA rule | DetectionLint