This detection rule identifies unexpected file modifications made by the `dns.exe` process, which is responsible for Windows DNS Server services. This behavior may indicate potential remote code execution or other exploitation attempts, particularly in relation to the CVE-2020-1350 vulnerability (commonly referred to as SigRed). The detection query focuses on identifying any file creation, deletion, or modification events associated with `dns.exe`, while excluding benign DNS log files and temporary file extensions. The rule incorporates events captured from log sources such as Winlogbeat and Sysmon to flag abnormal activity. Alerts generated from this rule warrant careful investigation, as they may suggest post-exploitation actions whereby attackers write malicious files to maintain persistence or further compromise the system. The rule aligns with MITRE ATT&CK tactics for lateral movement and exploitation of remote services, emphasizing its relevance in threat detection efforts relating to Windows environments.