DNS Global Query Block List Modified or Disabled

  1[metadata]
  2creation_date = "2024/05/31"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain
 11DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can
 12modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation
 13and lateral movement.
 14"""
 15from = "now-9m"
 16index = [
 17    "logs-endpoint.events.registry-*",
 18    "logs-windows.sysmon_operational-*",
 19    "winlogbeat-*",
 20    "logs-m365_defender.event-*",
 21    "logs-sentinel_one_cloud_funnel.*",
 22    "endgame-*",
 23]
 24language = "eql"
 25license = "Elastic License v2"
 26name = "DNS Global Query Block List Modified or Disabled"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating DNS Global Query Block List Modified or Disabled
 33
 34The DNS Global Query Block List (GQBL) is a security feature in Windows environments that blocks the resolution of specific DNS names, such as WPAD, to prevent attacks like spoofing. Adversaries with elevated privileges can alter or disable the GQBL, enabling them to exploit default settings for privilege escalation. The detection rule monitors registry changes indicating such modifications, flagging potential defense evasion attempts.
 35
 36### Possible investigation steps
 37
 38- Review the registry event logs to confirm the specific changes made to the DNS Global Query Block List, focusing on the registry values "EnableGlobalQueryBlockList" and "GlobalQueryBlockList".
 39- Identify the user account associated with the registry change event to determine if the account has elevated privileges, such as DNSAdmins, which could indicate potential misuse.
 40- Check for any recent changes in user permissions or group memberships that might have granted the necessary privileges to modify the GQBL.
 41- Investigate any other suspicious activities or alerts related to the same user or host around the time of the registry change to identify potential lateral movement or privilege escalation attempts.
 42- Correlate the event with network traffic logs to detect any unusual DNS queries or attempts to resolve WPAD or other blocked names, which could suggest exploitation attempts.
 43- Review system and security logs for any signs of unauthorized access or other indicators of compromise on the affected host.
 44
 45### False positive analysis
 46
 47- Legitimate administrative changes to DNS settings by IT staff can trigger the rule. To manage this, create exceptions for known maintenance windows or authorized personnel making these changes.
 48- Automated scripts or software updates that modify DNS settings might be flagged. Identify and whitelist these processes if they are verified as safe and necessary for system operations.
 49- Changes made by security tools or network management software that adjust DNS settings for legitimate reasons can be mistaken for threats. Review and exclude these tools from monitoring if they are part of the organization's approved security infrastructure.
 50- In environments where WPAD is intentionally used, the absence of "wpad" in the GlobalQueryBlockList might be a normal configuration. Document and exclude these cases if they align with the organization's network design and security policies.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement.
 55- Revert any unauthorized changes to the DNS Global Query Block List by restoring the registry settings to their default state, ensuring WPAD and other critical entries are included.
 56- Conduct a thorough review of user accounts with elevated privileges, such as DNSAdmins, to identify any unauthorized access or privilege escalation. Revoke unnecessary privileges and reset credentials as needed.
 57- Deploy endpoint detection and response (EDR) tools to scan the affected system for additional indicators of compromise or malicious activity, focusing on defense evasion techniques.
 58- Monitor network traffic for signs of WPAD spoofing or other related attacks, and implement network segmentation to limit the impact of potential threats.
 59- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 60- Update security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List, ensuring rapid detection and response to similar threats in the future."""
 61references = [
 62    "https://cube0x0.github.io/Pocing-Beyond-DA/",
 63    "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing",
 64    "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/",
 65]
 66risk_score = 47
 67rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492"
 68severity = "medium"
 69tags = [
 70    "Domain: Endpoint",
 71    "OS: Windows",
 72    "Use Case: Threat Detection",
 73    "Tactic: Defense Evasion",
 74    "Data Source: Elastic Defend",
 75    "Data Source: Sysmon",
 76    "Data Source: Microsoft Defender for Endpoint",
 77    "Data Source: SentinelOne",
 78    "Data Source: Elastic Endgame",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83
 84query = '''
 85registry where host.os.type == "windows" and event.type == "change" and
 86(
 87  (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or
 88  (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad")
 89)
 90'''
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1562"
 97name = "Impair Defenses"
 98reference = "https://attack.mitre.org/techniques/T1562/"
 99[[rule.threat.technique.subtechnique]]
100id = "T1562.001"
101name = "Disable or Modify Tools"
102reference = "https://attack.mitre.org/techniques/T1562/001/"
103
104
105
106[rule.threat.tactic]
107id = "TA0005"
108name = "Defense Evasion"
109reference = "https://attack.mitre.org/tactics/TA0005/"
110[[rule.threat]]
111framework = "MITRE ATT&CK"
112[[rule.threat.technique]]
113id = "T1557"
114name = "Adversary-in-the-Middle"
115reference = "https://attack.mitre.org/techniques/T1557/"
116
117
118[rule.threat.tactic]
119id = "TA0006"
120name = "Credential Access"
121reference = "https://attack.mitre.org/tactics/TA0006/"