The hypothesis is that an unexpected file modification by dns.exe may indicate an adversary leveraging the SigRed vulnerability for remote code execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential exploitation attempts and mitigate advanced threats.
Detection Rule
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
- id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
- https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: file_change
product: windows
detection:
selection:
Image|endswith: '\dns.exe'
filter:
TargetFilename|endswith: '\dns.log'
condition: selection and not filter
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\dns.exe" and (not(TargetFileName endswith "\\dns.log"))Scenario: DNS Server Configuration Update via Scheduled Task
Description: A legitimate scheduled task runs a script to update DNS server configurations, which may involve modifying files in the DNS service directory.
Filter/Exclusion: Check the file path against known DNS configuration directories (e.g., C:\Windows\System32\dns\, C:\Windows\System32\drivers\etc\). Exclude modifications to files like named.conf, dns.exe.config, or dnsmgr.exe.
Scenario: DNS Cache Flush via PowerShell Script
Description: An administrator runs a PowerShell script to flush the DNS cache, which may temporarily modify cache files or related registry entries.
Filter/Exclusion: Filter events where the file modification is associated with ipconfig /flushdns or PowerShell scripts named Flush-DnsCache.ps1. Exclude modifications to files in the C:\Windows\System32\drivers\etc\ directory.
Scenario: DNS Service Log File Rotation
Description: The DNS service logs are rotated as part of a regular maintenance task, which may involve renaming or modifying log files.
Filter/Exclusion: Exclude modifications to files in the C:\Windows\System32\LogFiles\DNS\ directory. Filter by file extensions like .log, .old, or .bak.
Scenario: DNS Monitoring Tool Configuration Update
Description: A third-party DNS monitoring tool (e.g., SolarWinds, PRTG) updates its configuration files, which may be modified by dns.exe during runtime.
Filter/Exclusion: Exclude modifications to files in the tool’s configuration directory (e.g., C:\Program Files\SolarWinds\DNSMonitor\). Filter by file names like config.xml, settings.json, or monitoring.ini.
**Scenario: DNS-related Registry Key Update via