From 263c98a2c8ff1841b6a01cbb8bccf006eef401d5 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@bsk-consulting.de>
Date: Mon, 8 May 2017 13:09:50 +0200
Subject: [PATCH] Suspicious DNS Server Config Error - ServerLevelPluginDLL
 issue

---
 rules/windows/builtin/win_sups_dns_config.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 rules/windows/builtin/win_sups_dns_config.yml

diff --git a/rules/windows/builtin/win_sups_dns_config.yml b/rules/windows/builtin/win_sups_dns_config.yml
new file mode 100644
index 000000000..11dd8dff1
--- /dev/null
+++ b/rules/windows/builtin/win_sups_dns_config.yml
@@ -0,0 +1,18 @@
+title: DNS Server Error Failed Loading the ServerLevelPluginDLL
+description: This rule detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
+status: experimental
+reference: 
+    - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
+    - https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
+author: Florian Roth
+logsource:
+    product: windows
+    service: dns-server
+detection:
+    selection:
+        EventID: 150
+    condition: selection and not filter
+falsepositives: 
+    - Unknown
+level: critical
+