--- action: global title: DNS ServerLevelPluginDll Install status: experimental description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server (restart required) references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 author: Florian Roth tags: - attack.defense_evasion - attack.t1073 detection: condition: 1 of them fields: - EventID - CommandLine - ParentCommandLine - Image - User - TargetObject falsepositives: - unknown level: high --- logsource: product: windows service: sysmon detection: dnsregmod: EventID: 13 TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll' --- logsource: category: process_creation product: windows detection: dnsadmin: CommandLine: 'dnscmd.exe /config /serverlevelplugindll *'