Unsigned DLL loaded by DNS Service
Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/05/29"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/08/07"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll
11functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Unsigned DLL loaded by DNS Service"
18references = [
19 "https://cube0x0.github.io/Pocing-Beyond-DA/",
20 "https://adsecurity.org/?p=4064",
21 "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll"
22]
23risk_score = 47
24rule_id = "5d676480-9655-4507-adc6-4eec311efff8"
25severity = "medium"
26tags = [
27 "Domain: Endpoint",
28 "OS: Windows",
29 "Use Case: Threat Detection",
30 "Tactic: Privilege Escalation",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38any where host.os.type == "windows" and event.category : ("library", "process") and
39 event.type : ("start", "change") and event.action : ("load", "Image loaded*") and
40 process.executable : "?:\\windows\\system32\\dns.exe" and
41 not ?dll.code_signature.trusted == true and
42 not file.code_signature.status == "Valid"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1068"
50name = "Exploitation for Privilege Escalation"
51reference = "https://attack.mitre.org/techniques/T1068/"
52
53
54[rule.threat.tactic]
55id = "TA0004"
56name = "Privilege Escalation"
57reference = "https://attack.mitre.org/tactics/TA0004/"
References
Related rules
- Potential Persistence via Time Provider Modification
- Potential Privilege Escalation via Service ImagePath Modification
- Privilege Escalation via Windir Environment Variable
- Suspicious Print Spooler Point and Print DLL
- Registry Persistence via AppCert DLL