New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

 1title: New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE
 2id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
 3related:
 4    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
 5      type: derived
 6    - id: cbe51394-cd93-4473-b555-edf0144952d9
 7      type: derived
 8status: test
 9description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
10references:
11    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
12    - https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
13author: Florian Roth (Nextron Systems)
14date: 2017-05-08
15modified: 2023-02-05
16tags:
17    - attack.defense-evasion
18    - attack.t1574.002
19    - attack.t1112
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        Image|endswith: '\dnscmd.exe'
26        CommandLine|contains|all:
27            - '/config'
28            - '/serverlevelplugindll'
29    condition: selection
30falsepositives:
31    - Unknown
32level: high

References

• Feature, not bug: DNSAdmin to DC compromise in one line

  

  Background

  
  Read More

• (0x64 ∧ 0x6d) ∨ 0x69 ~ Hunting DNS Server Level Plugin dll injection

  

  The Windows DNS Server management protocol, which is based on RPC, allows DnsAdmins and higher privileged Users to load arbitary dlls as plugins into the DNS service via DnssrvOperation2. Here's how to monitor for that event.

  
  Read More

Related rules

• DHCP Callout DLL Installation
• New DNS ServerLevelPluginDll Installed
• APT27 - Emissary Panda Activity
• Activate Suppression of Windows Security Center Notifications
• Add DisallowRun Execution to Registry