Home/CVE-2020-1350/Sigma rules
Sigma

Sigma rules for CVE-2020-1350

4 rules · scoped to cve · back to CVE-2020-1350
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.

Detection rules

4 of 4
direct critical
DNS RCE CVE-2020-1350
Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
status test author Florian Roth (Nextron Systems) id b5281f31-f9cc-4d0d-95d0-45b91c45b487 license Sigma · DRL-1.1
view Sigma YAML 
title: DNS RCE CVE-2020-1350
id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
status: test
description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
references:
    - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
    - https://web.archive.org/web/20230329172447/https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
author: Florian Roth (Nextron Systems)
date: 2020-07-15
modified: 2022-07-12
tags:
    - attack.initial-access
    - attack.t1190
    - attack.execution
    - attack.t1569.002
    - cve.2020-1350
    - detection.emerging-threats
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\System32\dns.exe'
    filter:
        Image|endswith:
            - '\System32\werfault.exe'
            - '\System32\conhost.exe'
            - '\System32\dnscmd.exe'
            - '\System32\dns.exe'
    condition: selection and not filter
falsepositives:
    - Unknown but benign sub processes of the Windows DNS service dns.exe
level: critical
direct high
Unusual File Deletion by Dns.exe
Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch (Nextron Systems), Elastic (idea) id 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 license Sigma · DRL-1.1
view Sigma YAML 
title: Unusual File Deletion by Dns.exe
id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0
related:
    - id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 # FileChange version
      type: similar
status: test
description: Detects an unexpected file being deleted by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
modified: 2023-02-15
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_delete
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
direct high
Unusual File Modification by dns.exe
Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch (Nextron Systems), Elastic (idea) id 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3 license Sigma · DRL-1.1
view Sigma YAML 
title: Unusual File Modification by dns.exe
id: 9f383dc0-fdeb-4d56-acbc-9f9f4f8f20f3
related:
    - id: 8f0b1fb1-9bd4-4e74-8cdf-a8de4d2adfd0 # FileDelete version
      type: similar
status: test
description: Detects an unexpected file being modified by dns.exe which my indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-file-modification-by-dns-exe.html
author: Tim Rauch (Nextron Systems), Elastic (idea)
date: 2022-09-27
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: file_change
    product: windows
detection:
    selection:
        Image|endswith: '\dns.exe'
    filter:
        TargetFilename|endswith: '\dns.log'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
direct high
Unusual Child Process of dns.exe
Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
status test author Tim Rauch, Elastic (idea) id a4e3d776-f12e-42c2-8510-9e6ed1f43ec3 license Sigma · DRL-1.1
view Sigma YAML 
title: Unusual Child Process of dns.exe
id: a4e3d776-f12e-42c2-8510-9e6ed1f43ec3
status: test
description: Detects an unexpected process spawning from dns.exe which may indicate activity related to remote code execution or other forms of exploitation as seen in CVE-2020-1350 (SigRed)
references:
    - https://www.elastic.co/guide/en/security/current/unusual-child-process-of-dns-exe.html
author: Tim Rauch, Elastic (idea)
date: 2022-09-27
modified: 2023-02-05
tags:
    - attack.persistence
    - attack.initial-access
    - attack.t1133
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\dns.exe'
    filter:
        Image|endswith: '\conhost.exe'
    condition: selection and not filter
falsepositives:
    - Unknown
level: high
Showing 1-4 of 4
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Detection coverage workspace
Saved stacks
SIEM query builder
Detection rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Ransomware groups
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Detection coverage Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh