SigmaHQ/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml

action: global
title: DNS ServerLevelPluginDll Install
id: e61e8a88-59a9-451c-874e-70fcc9740d67
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
    (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
modified: 2020/09/06
author: Florian Roth
tags:
    - attack.defense_evasion
    - attack.t1073 # an old one
    - attack.t1574.002
    - attack.t1112
fields:
    - EventID
    - CommandLine
    - ParentCommandLine
    - Image
    - User
    - TargetObject
falsepositives:
    - unknown
level: high
---
logsource:
    product: windows
    category: registry_event
detection:
    dnsregmod: 
        TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
    condition: 1 of them
---
logsource:
    category: process_creation
    product: windows
detection:
    dnsadmin:
        Image|endswith: '\dnscmd.exe'
        CommandLine|contains|all: 
            - '/config'
            - '/serverlevelplugindll'
    condition: 1 of them
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`action: global`
			`title: DNS ServerLevelPluginDll Install`
			`id: e61e8a88-59a9-451c-874e-70fcc9740d67`
			`status: experimental`
			`description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server`
			`(restart required)`
			`references:`
			`- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83`
			`date: 2017/05/08`
att&ck tags review: windows/registry_event 2020-09-06 19:08:27 +00:00			`modified: 2020/09/06`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`author: Florian Roth`
			`tags:`
			`- attack.defense_evasion`
att&ck tags review: windows/registry_event 2020-09-06 19:08:27 +00:00			`- attack.t1073 # an old one`
			`- attack.t1574.002`
			`- attack.t1112`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`fields:`
			`- EventID`
			`- CommandLine`
			`- ParentCommandLine`
			`- Image`
			`- User`
			`- TargetObject`
			`falsepositives:`
			`- unknown`
			`level: high`
			`---`
			`logsource:`
			`product: windows`
			`category: registry_event`
			`detection:`
			`dnsregmod:`
Update sysmon_dns_serverlevelplugindll.yml 2020-10-15 23:03:29 +00:00			`TargetObject\|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'`
fix: bugfix and cosmetics 2020-06-24 16:10:58 +00:00			`condition: 1 of them`
Added rules files split into folders 2020-06-10 14:32:30 +00:00			`---`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`dnsadmin:`
Update sysmon_dns_serverlevelplugindll.yml 2020-11-28 16:46:02 +00:00			`Image\|endswith: '\dnscmd.exe'`
			`CommandLine\|contains\|all:`
			`- '/config'`
			`- '/serverlevelplugindll'`
Update sysmon_dns_serverlevelplugindll.yml 2020-10-15 23:03:29 +00:00			`condition: 1 of them`