DNS Global Query Block List Modified or Disabled
Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/31"
3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain
13DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can
14modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation
15and lateral movement.
16"""
17from = "now-9m"
18index = [
19 "logs-endpoint.events.registry-*",
20 "logs-windows.sysmon_operational-*",
21 "winlogbeat-*",
22 "logs-m365_defender.event-*",
23 "logs-sentinel_one_cloud_funnel.*",
24 "endgame-*"
25]
26language = "eql"
27license = "Elastic License v2"
28name = "DNS Global Query Block List Modified or Disabled"
29references = [
30 "https://cube0x0.github.io/Pocing-Beyond-DA/",
31 "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing",
32 "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"
33]
34risk_score = 47
35rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492"
36severity = "medium"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Defense Evasion",
42 "Data Source: Elastic Defend",
43 "Data Source: Sysmon",
44 "Data Source: Microsoft Defender for Endpoint",
45 "Data Source: SentinelOne",
46 "Data Source: Elastic Endgame",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52registry where host.os.type == "windows" and event.type == "change" and
53(
54 (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or
55 (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad")
56)
57'''
58
59
60[[rule.threat]]
61framework = "MITRE ATT&CK"
62[[rule.threat.technique]]
63id = "T1562"
64name = "Impair Defenses"
65reference = "https://attack.mitre.org/techniques/T1562/"
66[[rule.threat.technique.subtechnique]]
67id = "T1562.001"
68name = "Disable or Modify Tools"
69reference = "https://attack.mitre.org/techniques/T1562/001/"
70
71
72
73[rule.threat.tactic]
74id = "TA0005"
75name = "Defense Evasion"
76reference = "https://attack.mitre.org/tactics/TA0005/"
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1557"
83name = "Adversary-in-the-Middle"
84reference = "https://attack.mitre.org/techniques/T1557/"
85
86
87[rule.threat.tactic]
88id = "TA0006"
89name = "Credential Access"
90reference = "https://attack.mitre.org/tactics/TA0006/"
References
-
Comprehensive cybersecurity guides and strategies for ethical hacking and penetration testing
Read More -
This post will mainly cover some additional techniques on both the offensive and defensive fronts for exploiting Active Directory-Integrated DNS (ADIDNS).
Read More
Related rules
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Creation or Modification of Root Certificate