Unsigned DLL loaded by DNS Service

Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2024/05/29"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/08/07"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll
11functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "winlogbeat-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Unsigned DLL loaded by DNS Service"
18references = [
19    "https://cube0x0.github.io/Pocing-Beyond-DA/",
20    "https://adsecurity.org/?p=4064",
21    "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll"
22]
23risk_score = 47
24rule_id = "5d676480-9655-4507-adc6-4eec311efff8"
25severity = "medium"
26tags = [
27    "Domain: Endpoint",
28    "OS: Windows",
29    "Use Case: Threat Detection",
30    "Tactic: Privilege Escalation",
31    "Data Source: Elastic Defend",
32    "Data Source: Sysmon"
33]
34timestamp_override = "event.ingested"
35type = "eql"
36
37query = '''
38any where host.os.type == "windows" and event.category : ("library", "process") and
39  event.type : ("start", "change") and event.action : ("load", "Image loaded*") and
40  process.executable : "?:\\windows\\system32\\dns.exe" and 
41  not ?dll.code_signature.trusted == true and
42  not file.code_signature.status == "Valid"
43'''
44
45
46[[rule.threat]]
47framework = "MITRE ATT&CK"
48[[rule.threat.technique]]
49id = "T1068"
50name = "Exploitation for Privilege Escalation"
51reference = "https://attack.mitre.org/techniques/T1068/"
52
53
54[rule.threat.tactic]
55id = "TA0004"
56name = "Privilege Escalation"
57reference = "https://attack.mitre.org/tactics/TA0004/"

References

Related rules

to-top