Powershell Add Name Resolution Policy Table Rule
Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
Sigma rule (View on GitHub)
1title: Powershell Add Name Resolution Policy Table Rule
2id: 4368354e-1797-463c-bc39-a309effbe8d7
3status: test
4description: |
5 Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace.
6 This will bypass the default DNS server and uses a specified server for answering the query.
7references:
8 - https://twitter.com/NathanMcNulty/status/1569497348841287681
9 - https://learn.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
10author: Borna Talebi
11date: 2021-09-14
12modified: 2022-10-09
13tags:
14 - attack.impact
15 - attack.t1565
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection:
22 ScriptBlockText|contains|all:
23 - 'Add-DnsClientNrptRule'
24 - '-Namesp'
25 - '-NameSe'
26 condition: selection
27falsepositives:
28 - Unknown
29level: high
References
-
Use this topic to help manage Windows and Windows Server technologies with Windows PowerShell.
Read More
Related rules
- AWS EC2 Disable EBS Encryption
- Google Cloud Re-identifies Sensitive Information
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript
- AWS EFS Fileshare Modified or Deleted