Detection rules › Sigma
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1133 External Remote Services |
| Persistence | T1133 External Remote Services |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 23 | FileDelete (File Delete archived) |
| Sysmon | 26 | FileDeleteDetected (File Delete logged) |
Stages and Predicates
Stage 1: selection
Image|endswith: '\dns.exe'
Stage 2: not filter
TargetFilename|endswith: '\dns.log'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Image | ends_with |
|
TargetFilename | ends_with |
|