SigmaHQ/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml

title: DNS ServerLevelPluginDll Install
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)
reference: 
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
author: Florian Roth
logsource:
    product: windows
    service: sysmon
detection:
    dnsadmin:
        EventID: 1
        CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'
    dnsregmod:
        EventID: 13
        TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
    condition: dnsadmin or dnsregmod
fields:
    - EventID
    - CommandLine
    - ParentCommandLine
    - Image
    - User
    - TargetObject
falsepositives:
    - unknown
level: high
Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 11:39:50 +00:00			`title: DNS ServerLevelPluginDll Install`
			`status: experimental`
			`description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required)`
			`reference:`
			`- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83`
			`date: 2017/05/08`
			`author: Florian Roth`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`dnsadmin:`
			`EventID: 1`
			`CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'`
			`dnsregmod:`
			`EventID: 13`
			`TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'`
			`condition: dnsadmin or dnsregmod`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- EventID`
			`- CommandLine`
			`- ParentCommandLine`
			`- Image`
			`- User`
			`- TargetObject`
Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 11:39:50 +00:00			`falsepositives:`
			`- unknown`
			`level: high`