SigmaHQ/rules/windows/sysmon/sysmon_dns_serverlevelplugindll.yml

action: global
title: DNS ServerLevelPluginDll Install
id: e61e8a88-59a9-451c-874e-70fcc9740d67
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
    (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
author: Florian Roth
tags:
    - attack.defense_evasion
    - attack.t1073
detection:
    condition: 1 of them
fields:
    - EventID
    - CommandLine
    - ParentCommandLine
    - Image
    - User
    - TargetObject
falsepositives:
    - unknown
level: high
---
logsource:
    product: windows
    service: sysmon
detection:
    dnsregmod:
        EventID: 13
        TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'
---
logsource:
    category: process_creation
    product: windows
detection:
    dnsadmin:
        CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'
Converted to use the new process_creation data source 2019-03-09 17:57:59 +00:00			`action: global`
Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 11:39:50 +00:00			`title: DNS ServerLevelPluginDll Install`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: e61e8a88-59a9-451c-874e-70fcc9740d67`
Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 11:39:50 +00:00			`status: experimental`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server`
			`(restart required)`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 11:39:50 +00:00			`- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83`
			`date: 2017/05/08`
			`author: Florian Roth`
Missing tags 2019-03-05 23:02:37 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.t1073`
Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 11:39:50 +00:00			`detection:`
Simplified rule conditions with new condition constructs 2018-03-06 22:14:43 +00:00			`condition: 1 of them`
Added field names to first rules 2017-09-12 21:54:04 +00:00			`fields:`
			`- EventID`
			`- CommandLine`
			`- ParentCommandLine`
			`- Image`
			`- User`
			`- TargetObject`
Suspicious DNS Server Config Error - Sysmon Rule 2017-05-08 11:39:50 +00:00			`falsepositives:`
			`- unknown`
			`level: high`
Converted to use the new process_creation data source 2019-03-09 17:57:59 +00:00			`---`
			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`dnsregmod:`
			`EventID: 13`
			`TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll'`
			`---`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`dnsadmin:`
			`CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'`