sigmahighHunting

Unusual File Deletion by Dns.exe

Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)

MITRE ATT&CK

T1133

persistenceinitial-access

Detection Query

selection:
  Image|endswith: \dns.exe
filter:
  TargetFilename|endswith: \dns.log
condition: selection and not filter

Author

Tim Rauch (Nextron Systems), Elastic (idea)

Created

2022-09-27

Data Sources

windowsfile_delete

Platforms

windows

References

https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html

Tags

attack.persistenceattack.initial-accessattack.t1133

Raw Content

title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
      type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high