rules/windows/process_creation/proc_creation_win_dns_serverlevelplugindll.yml

title: DNS ServerLevelPluginDll Install
id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
related:
    - id: e61e8a88-59a9-451c-874e-70fcc9740d67
      type: derived
status: experimental
description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server
    (restart required)
references:
    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
modified: 2021/09/12
author: Florian Roth
tags:
    - attack.defense_evasion
    - attack.t1574.002
    - attack.t1112
logsource:
    category: process_creation
    product: windows
detection:
    dnsadmin:
        Image|endswith: '\dnscmd.exe'
        CommandLine|contains|all: 
            - '/config'
            - '/serverlevelplugindll'
    condition: dnsadmin
falsepositives:
    - Unknown
level: high
fields:
    - EventID
    - CommandLine
    - ParentCommandLine
    - Image
    - User
    - TargetObject
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`title: DNS ServerLevelPluginDll Install`
$frack113$ split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00			`id: f63b56ee-3f79-4b8a-97fb-5c48007e8573`
			`related:`
			`- id: e61e8a88-59a9-451c-874e-70fcc9740d67`
			`type: derived`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`status: experimental`
			`description: Detects the installation of a plugin DLL via ServerLevelPluginDll parameter in Registry, which can be used to execute code in context of the DNS server`
			`(restart required)`
			`references:`
			`- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83`
			`date: 2017/05/08`
$frack113$ split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00			`modified: 2021/09/12`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`author: Florian Roth`
			`tags:`
			`- attack.defense_evasion`
att&ck tags review: windows/registry_event 2020-09-06 22:08:27 +03:00			`- attack.t1574.002`
			`- attack.t1112`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`dnsadmin:`
Update sysmon_dns_serverlevelplugindll.yml 2020-11-28 13:46:02 -03:00			`Image\|endswith: '\dnscmd.exe'`
			`CommandLine\|contains\|all:`
			`- '/config'`
			`- '/serverlevelplugindll'`
$frack113$ split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00			`condition: dnsadmin`
			`falsepositives:`
fix: unknown --> Unknown 2022-03-16 13:43:54 +01:00			`- Unknown`
$frack113$ split sysmon_dns_serverlevelplugindll.yml 2021-09-12 09:53:20 +02:00			`level: high`
			`fields:`
			`- EventID`
			`- CommandLine`
			`- ParentCommandLine`
			`- Image`
			`- User`
			`- TargetObject`