Detection rules › Sigma
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1133 External Remote Services |
| Persistence | T1133 External Remote Services |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 2 | A process changed a file creation time |
Stages and Predicates
Stage 1: selection
Image|endswith: '\dns.exe'
Stage 2: not filter
TargetFilename|endswith: '\dns.log'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
TargetFilename | ends_with |
|