New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Sigma rule (View on GitHub)
1title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
2id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
3related:
4 - id: e61e8a88-59a9-451c-874e-70fcc9740d67
5 type: derived
6 - id: cbe51394-cd93-4473-b555-edf0144952d9
7 type: derived
8status: test
9description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
10references:
11 - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
12 - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
13author: Florian Roth (Nextron Systems)
14date: 2017/05/08
15modified: 2023/02/05
16tags:
17 - attack.defense_evasion
18 - attack.t1574.002
19 - attack.t1112
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 Image|endswith: '\dnscmd.exe'
26 CommandLine|contains|all:
27 - '/config'
28 - '/serverlevelplugindll'
29 condition: selection
30falsepositives:
31 - Unknown
32level: high
References
Related rules
- DNS Server Error Failed Loading the ServerLevelPluginDLL
- NetNTLM Downgrade Attack
- Xwizard DLL Sideloading
- Enable WDigest using PowerShell (ps_module)
- UAC Bypass With Fake DLL