Unusual Child Process of dns.exe

About the rule

Rule Type

Standard

Rule Description

dns.exe is the legitimate Windows DNS Server process, responsible for providing domain name resolution across the network. Attackers sometimes exploit this trusted system component by spawning malicious or unexpected child processes from dns.exe to hide their activity, maintain persistence, or facilitate further lateral movement. This rule is designed to detect unusual or suspicious child processes spawned by dns.exe such as command shells, scripting engines (PowerShell, wscript, cscript), or binaries not typically associated with DNS operations.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → dns.exe exploited → Launching of suspicious child process → Impact

Impact

• Defense evasion
• Data exfiltration
• Covert command and control
• Evasion of traditional network security tools
• Information disclosure

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Initial Access: External Remote Services (T1133), Persistence: External Remote Services (T1133)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified that dns.exe has spawned an unusual or suspicious child process. This enables you to review the context of process creation, analyze parent-child relationships, and swiftly detect potential abuse of legitimate system services for malicious activity.

Author

Tim Rauch, Elastic (idea)

Future actions

Known False Positives

This rule may trigger when legitimate DNS server extensions, debugging activities, or administrative scripts spawn processes from dns.exe in managed environments. Investigate the context, command-line parameters, and legitimacy of the spawned child processes before responding.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Update allowlists of legitimate DNS server behaviors, enhance detection tuning, and continue monitoring for recurrence or similar anomalous activity.

Mitigation