The hypothesis is that the deletion of an unexpected file by dns.exe may indicate an adversary leveraging the SigRed vulnerability for remote code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation attempts and mitigate lateral movement or persistence tactics.
Detection Rule
title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
- id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_delete
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\dns.exe" and (not(TargetFileName endswith "\\dns.log"))Scenario: Scheduled Job Maintenance
Description: A legitimate scheduled job runs dns.exe to clean up temporary files or logs.
Filter/Exclusion: Exclude file deletions where the file path matches known temporary directories (e.g., C:\Windows\Temp\, C:\Users\*\AppData\Local\Temp\) or files with extensions like .log, .tmp, or .bak.
Scenario: System File Cleanup by Admin
Description: An administrator uses a script or tool like del or PowerShell to delete old system files, and dns.exe is invoked as part of a batch process.
Filter/Exclusion: Exclude deletions where the file is in the C:\Windows\ directory and the file name matches known system cleanup patterns (e.g., *.old, *.tmp, *.log).
Scenario: DNS Server Configuration Update
Description: A DNS server is being configured or updated, and dns.exe is used to remove outdated configuration files.
Filter/Exclusion: Exclude deletions where the file path includes C:\Windows\System32\DNS\ or files with names like dnsconfig.old, dnsbackup.txt, or dnsrules.xml.
Scenario: Antivirus Quarantine Cleanup
Description: An antivirus tool (e.g., Windows Defender, Bitdefender) uses dns.exe as part of a cleanup process to remove quarantined files.
Filter/Exclusion: Exclude deletions where the file path includes C:\ProgramData\Microsoft\Windows Defender\ or files marked as quarantined by the antivirus.
Scenario: User-Initiated File Deletion via Command Prompt
Description: A user runs a command like `del /f /q C:\some\file.txt