DNS Global Query Block List Modified or Disabled

Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/05/31"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/05/31"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain
11DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can
12modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation
13and lateral movement.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.registry-*", "logs-windows.sysmon_operational-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "DNS Global Query Block List Modified or Disabled"
20references = [
21    "https://cube0x0.github.io/Pocing-Beyond-DA/",
22    "https://www.thehacker.recipes/ad/movement/mitm-and-coerced-authentications/wpad-spoofing",
23    "https://www.netspi.com/blog/technical-blog/network-penetration-testing/adidns-revisited/"
24]
25risk_score = 47
26rule_id = "57bfa0a9-37c0-44d6-b724-54bf16787492"
27severity = "medium"
28tags = [
29    "Domain: Endpoint",
30    "OS: Windows",
31    "Use Case: Threat Detection",
32    "Tactic: Defense Evasion",
33    "Data Source: Elastic Defend",
34    "Data Source: Sysmon"
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40registry where host.os.type == "windows" and event.type : "change" and
41(
42  (registry.value : "EnableGlobalQueryBlockList" and registry.data.strings : ("0", "0x00000000")) or
43  (registry.value : "GlobalQueryBlockList" and not registry.data.strings : "wpad")
44)
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1562"
52name = "Impair Defenses"
53reference = "https://attack.mitre.org/techniques/T1562/"
54[[rule.threat.technique.subtechnique]]
55id = "T1562.001"
56name = "Disable or Modify Tools"
57reference = "https://attack.mitre.org/techniques/T1562/001/"
58
59
60
61[rule.threat.tactic]
62id = "TA0005"
63name = "Defense Evasion"
64reference = "https://attack.mitre.org/tactics/TA0005/"
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1557"
71name = "Adversary-in-the-Middle"
72reference = "https://attack.mitre.org/techniques/T1557/"
73
74
75[rule.threat.tactic]
76id = "TA0006"
77name = "Credential Access"
78reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top