title: DNS RCE CVE-2020-1350 id: b5281f31-f9cc-4d0d-95d0-45b91c45b487 status: experimental description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process references: - https://research.checkpoint.com/2020/resolving-your-way-into-domain-admin-exploiting-a-17-year-old-bug-in-windows-dns-servers/ - https://blog.menasec.net/2019/02/threat-hunting-24-microsoft-windows-dns.html author: Florian Roth date: 2020/07/15 tags: - attack.initial_access - attack.t1190 - attack.execution - attack.t1569.002 logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: '\dns.exe' condition: selection falsepositives: - Unknown but benign sub processes of the Windows DNS service dns.exe level: critical