DNS Global Query Block List Modified or Disabled
Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/31"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain
11DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can
12modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation
13and lateral movement.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "DNS Global Query Block List Modified or Disabled"
20references = [
21 "https://cube0x0.github.io/Pocing-Beyond-DA/",
22 "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing",
23 "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"
24]
25risk_score = 47
26rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492"
27severity = "medium"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Defense Evasion",
33 "Data Source: Elastic Defend",
34 "Data Source: Sysmon"
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40registry where host.os.type == "windows" and event.type == "change" and
41(
42 (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or
43 (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad")
44)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54[[rule.threat.technique.subtechnique]]
55id = "T1562.001"
56name = "Disable or Modify Tools"
57reference = "https://attack.mitre.org/techniques/T1562/001/"
58
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1557"
71name = "Adversary-in-the-Middle"
72reference = "https://attack.mitre.org/techniques/T1557/"
73
74
75[rule.threat.tactic]
76id = "TA0006"
77name = "Credential Access"
78reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Comprehensive cybersecurity guides and strategies for ethical hacking and penetration testing
Read More -
This post will mainly cover some additional techniques on both the offensive and defensive fronts for exploiting Active Directory-Integrated DNS (ADIDNS).
Read More
Related rules
- Encoded Executable Stored in the Registry
- Image File Execution Options Injection
- NullSessionPipe Registry Modification
- SIP Provider Modification
- Suspicious ImagePath Service Creation