mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 01:15:17 +00:00
16 lines
488 B
YAML
16 lines
488 B
YAML
alert:
|
|
- debug
|
|
description: Detects exploitation of DNS RCE bug reported in CVE-2020-1350 by the detection of suspicious sub process
|
|
filter:
|
|
- query:
|
|
query_string:
|
|
query: (data.win.eventdata.parentImage.keyword:*\\System32\\dns.exe AND (NOT (data.win.eventdata.image.keyword:(*\\System32\\werfault.exe OR *\\System32\\conhost.exe OR *\\System32\\dnscmd.exe))))
|
|
index: wazuh-alerts-3.x-*
|
|
name: b5281f31-f9cc-4d0d-95d0-45b91c45b487_0
|
|
priority: 1
|
|
realert:
|
|
minutes: 0
|
|
type: any
|
|
|
|
|