SigmaHQ/rules/windows/process_creation/win_exploit_cve_2020_1350.yml

30 lines
1002 B
YAML
Raw Normal View History

2020-07-15 09:03:31 +00:00
title: DNS RCE CVE-2020-1350
id: b5281f31-f9cc-4d0d-95d0-45b91c45b487
status: experimental
description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
references:
- https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/
- https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html
author: Florian Roth
date: 2020/07/15
tags:
- attack.initial_access
- attack.t1190
- attack.execution
- attack.t1569.002
logsource:
category: process_creation
product: windows
detection:
selection:
2020-07-15 09:56:11 +00:00
ParentImage|endswith: '\System32\dns.exe'
filter:
Image|endswith:
2020-07-15 09:56:11 +00:00
- '\System32\werfault.exe'
- '\System32\conhost.exe'
- '\System32\dnscmd.exe'
condition: selection and not filter
2020-07-15 09:03:31 +00:00
falsepositives:
- Unknown but benign sub processes of the Windows DNS service dns.exe
level: critical