Unsigned DLL loaded by DNS Service

 1[metadata]
 2creation_date = "2024/05/29"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5updated_date = "2024/10/17"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll
13functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Unsigned DLL loaded by DNS Service"
20references = [
21    "https://cube0x0.github.io/Pocing-Beyond-DA/",
22    "https://adsecurity.org/?p=4064",
23    "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll"
24]
25risk_score = 47
26rule_id = "5d676480-9655-4507-adc6-4eec311efff8"
27severity = "medium"
28tags = [
29    "Domain: Endpoint",
30    "OS: Windows",
31    "Use Case: Threat Detection",
32    "Tactic: Privilege Escalation",
33    "Data Source: Elastic Defend",
34    "Data Source: Sysmon"
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40any where host.os.type == "windows" and event.category : ("library", "process") and
41  event.type : ("start", "change") and event.action : ("load", "Image loaded*") and
42  process.executable : "?:\\windows\\system32\\dns.exe" and 
43  not ?dll.code_signature.trusted == true and
44  not file.code_signature.status == "Valid"
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1068"
52name = "Exploitation for Privilege Escalation"
53reference = "https://attack.mitre.org/techniques/T1068/"
54
55
56[rule.threat.tactic]
57id = "TA0004"
58name = "Privilege Escalation"
59reference = "https://attack.mitre.org/tactics/TA0004/"

References

• https://cube0x0.github.io/Pocing-Beyond-DA/

  
  Read More

• » From DNSAdmins to Domain Admin, When DNSAdmins is More than Just DNS Administration » Active Directory Security

  It’s been almost 1.5 years since the Medium post by Shay Ber was published that explained how to execute a DLL as SYSTEM on a Domain Controller provided the account is a member of DNSAdmins. I fina...

  
  Read More

• PSBits/ServerLevelPluginDll at master · gtworek/PSBits

  

  Simple (relatively) things allowing you to dig a bit deeper than usual. - gtworek/PSBits

  
  Read More

Related rules

• Persistence via Update Orchestrator Service Hijack
• Potential Escalation via Vulnerable MSI Repair
• Suspicious Print Spooler Point and Print DLL
• Account Discovery Command via SYSTEM Account
• Conhost Spawned By Suspicious Parent Process