DNS Global Query Block List Modified or Disabled

Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2024/05/31"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6min_stack_version = "8.14.0"
  7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
  8
  9[rule]
 10author = ["Elastic"]
 11description = """
 12Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain
 13DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can
 14modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation
 15and lateral movement.
 16"""
 17from = "now-9m"
 18index = [
 19    "logs-endpoint.events.registry-*",
 20    "logs-windows.sysmon_operational-*",
 21    "winlogbeat-*",
 22    "logs-m365_defender.event-*",
 23    "logs-sentinel_one_cloud_funnel.*",
 24    "endgame-*"
 25]
 26language = "eql"
 27license = "Elastic License v2"
 28name = "DNS Global Query Block List Modified or Disabled"
 29references = [
 30    "https://cube0x0.github.io/Pocing-Beyond-DA/",
 31    "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing",
 32    "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"
 33]
 34risk_score = 47
 35rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492"
 36severity = "medium"
 37tags = [
 38    "Domain: Endpoint",
 39    "OS: Windows",
 40    "Use Case: Threat Detection",
 41    "Tactic: Defense Evasion",
 42    "Data Source: Elastic Defend",
 43    "Data Source: Sysmon",
 44    "Data Source: Microsoft Defender for Endpoint",
 45    "Data Source: SentinelOne",
 46    "Data Source: Elastic Endgame",
 47    "Resources: Investigation Guide",
 48]
 49timestamp_override = "event.ingested"
 50type = "eql"
 51
 52query = '''
 53registry where host.os.type == "windows" and event.type == "change" and
 54(
 55  (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or
 56  (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad")
 57)
 58'''
 59note = """## Triage and analysis
 60
 61> **Disclaimer**:
 62> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 63
 64### Investigating DNS Global Query Block List Modified or Disabled
 65
 66The DNS Global Query Block List (GQBL) is a security feature in Windows environments that blocks the resolution of specific DNS names, such as WPAD, to prevent attacks like spoofing. Adversaries with elevated privileges can alter or disable the GQBL, enabling them to exploit default settings for privilege escalation. The detection rule monitors registry changes indicating such modifications, flagging potential defense evasion attempts.
 67
 68### Possible investigation steps
 69
 70- Review the registry event logs to confirm the specific changes made to the DNS Global Query Block List, focusing on the registry values "EnableGlobalQueryBlockList" and "GlobalQueryBlockList".
 71- Identify the user account associated with the registry change event to determine if the account has elevated privileges, such as DNSAdmins, which could indicate potential misuse.
 72- Check for any recent changes in user permissions or group memberships that might have granted the necessary privileges to modify the GQBL.
 73- Investigate any other suspicious activities or alerts related to the same user or host around the time of the registry change to identify potential lateral movement or privilege escalation attempts.
 74- Correlate the event with network traffic logs to detect any unusual DNS queries or attempts to resolve WPAD or other blocked names, which could suggest exploitation attempts.
 75- Review system and security logs for any signs of unauthorized access or other indicators of compromise on the affected host.
 76
 77### False positive analysis
 78
 79- Legitimate administrative changes to DNS settings by IT staff can trigger the rule. To manage this, create exceptions for known maintenance windows or authorized personnel making these changes.
 80- Automated scripts or software updates that modify DNS settings might be flagged. Identify and whitelist these processes if they are verified as safe and necessary for system operations.
 81- Changes made by security tools or network management software that adjust DNS settings for legitimate reasons can be mistaken for threats. Review and exclude these tools from monitoring if they are part of the organization's approved security infrastructure.
 82- In environments where WPAD is intentionally used, the absence of "wpad" in the GlobalQueryBlockList might be a normal configuration. Document and exclude these cases if they align with the organization's network design and security policies.
 83
 84### Response and remediation
 85
 86- Immediately isolate the affected system from the network to prevent further exploitation or lateral movement.
 87- Revert any unauthorized changes to the DNS Global Query Block List by restoring the registry settings to their default state, ensuring WPAD and other critical entries are included.
 88- Conduct a thorough review of user accounts with elevated privileges, such as DNSAdmins, to identify any unauthorized access or privilege escalation. Revoke unnecessary privileges and reset credentials as needed.
 89- Deploy endpoint detection and response (EDR) tools to scan the affected system for additional indicators of compromise or malicious activity, focusing on defense evasion techniques.
 90- Monitor network traffic for signs of WPAD spoofing or other related attacks, and implement network segmentation to limit the impact of potential threats.
 91- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
 92- Update security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List, ensuring rapid detection and response to similar threats in the future."""
 93
 94
 95[[rule.threat]]
 96framework = "MITRE ATT&CK"
 97[[rule.threat.technique]]
 98id = "T1562"
 99name = "Impair Defenses"
100reference = "https://attack.mitre.org/techniques/T1562/"
101[[rule.threat.technique.subtechnique]]
102id = "T1562.001"
103name = "Disable or Modify Tools"
104reference = "https://attack.mitre.org/techniques/T1562/001/"
105
106
107
108[rule.threat.tactic]
109id = "TA0005"
110name = "Defense Evasion"
111reference = "https://attack.mitre.org/tactics/TA0005/"
112
113
114[[rule.threat]]
115framework = "MITRE ATT&CK"
116[[rule.threat.technique]]
117id = "T1557"
118name = "Adversary-in-the-Middle"
119reference = "https://attack.mitre.org/techniques/T1557/"
120
121
122[rule.threat.tactic]
123id = "TA0006"
124name = "Credential Access"
125reference = "https://attack.mitre.org/tactics/TA0006/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating DNS Global Query Block List Modified or Disabled

The DNS Global Query Block List (GQBL) is a security feature in Windows environments that blocks the resolution of specific DNS names, such as WPAD, to prevent attacks like spoofing. Adversaries with elevated privileges can alter or disable the GQBL, enabling them to exploit default settings for privilege escalation. The detection rule monitors registry changes indicating such modifications, flagging potential defense evasion attempts.

Possible investigation steps

  • Review the registry event logs to confirm the specific changes made to the DNS Global Query Block List, focusing on the registry values "EnableGlobalQueryBlockList" and "GlobalQueryBlockList".
  • Identify the user account associated with the registry change event to determine if the account has elevated privileges, such as DNSAdmins, which could indicate potential misuse.
  • Check for any recent changes in user permissions or group memberships that might have granted the necessary privileges to modify the GQBL.
  • Investigate any other suspicious activities or alerts related to the same user or host around the time of the registry change to identify potential lateral movement or privilege escalation attempts.
  • Correlate the event with network traffic logs to detect any unusual DNS queries or attempts to resolve WPAD or other blocked names, which could suggest exploitation attempts.
  • Review system and security logs for any signs of unauthorized access or other indicators of compromise on the affected host.

False positive analysis

  • Legitimate administrative changes to DNS settings by IT staff can trigger the rule. To manage this, create exceptions for known maintenance windows or authorized personnel making these changes.
  • Automated scripts or software updates that modify DNS settings might be flagged. Identify and whitelist these processes if they are verified as safe and necessary for system operations.
  • Changes made by security tools or network management software that adjust DNS settings for legitimate reasons can be mistaken for threats. Review and exclude these tools from monitoring if they are part of the organization's approved security infrastructure.
  • In environments where WPAD is intentionally used, the absence of "wpad" in the GlobalQueryBlockList might be a normal configuration. Document and exclude these cases if they align with the organization's network design and security policies.

Response and remediation

  • Immediately isolate the affected system from the network to prevent further exploitation or lateral movement.
  • Revert any unauthorized changes to the DNS Global Query Block List by restoring the registry settings to their default state, ensuring WPAD and other critical entries are included.
  • Conduct a thorough review of user accounts with elevated privileges, such as DNSAdmins, to identify any unauthorized access or privilege escalation. Revoke unnecessary privileges and reset credentials as needed.
  • Deploy endpoint detection and response (EDR) tools to scan the affected system for additional indicators of compromise or malicious activity, focusing on defense evasion techniques.
  • Monitor network traffic for signs of WPAD spoofing or other related attacks, and implement network segmentation to limit the impact of potential threats.
  • Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are affected.
  • Update security policies and procedures to include specific measures for monitoring and protecting the DNS Global Query Block List, ensuring rapid detection and response to similar threats in the future.

References

Related rules

to-top