Potential ADIDNS Poisoning via Wildcard Record Creation

calendar Jul 10, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Data Source: Active Directory Use Case: Active Directory Monitoring  ·
Share on: linkedin copy

Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/03/26"
 3integration = ["system", "windows"]
 4maturity = "production"
 5updated_date = "2024/07/08"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and
11replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces
12some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to
13create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match
14records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS
15spoofing.
16"""
17from = "now-9m"
18index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Potential ADIDNS Poisoning via Wildcard Record Creation"
22references = [
23    "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/",
24    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing",
25]
26risk_score = 73
27rule_id = "8f242ffb-b191-4803-90ec-0f19942e17fd"
28setup = """## Setup
29
30The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
31Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policies Configuration > Audit Policies > DS Access > Audit Directory Service Changes (Success,Failure)

1
2The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.

Set-AuditRule -AdObjectPath 'AD:\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success

 1"""
 2severity = "high"
 3tags = [
 4    "Domain: Endpoint",
 5    "OS: Windows",
 6    "Use Case: Threat Detection",
 7    "Tactic: Credential Access",
 8    "Data Source: Active Directory",
 9    "Use Case: Active Directory Monitoring",
10]
11timestamp_override = "event.ingested"
12type = "eql"
13
14query = '''
15any where host.os.type == "windows" and event.action in ("Directory Service Changes", "directory-service-object-modified") and
16    event.code == "5137" and startsWith(winlog.event_data.ObjectDN, "DC=*,")
17'''
18
19
20[[rule.threat]]
21framework = "MITRE ATT&CK"
22[[rule.threat.technique]]
23id = "T1557"
24name = "Adversary-in-the-Middle"
25reference = "https://attack.mitre.org/techniques/T1557/"
26
27
28[rule.threat.tactic]
29id = "TA0006"
30name = "Credential Access"
31reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top