From d072472b25d7cbd1e8913fcd15e9fc62ca46ea13 Mon Sep 17 00:00:00 2001
From: Tim Shelton <tshelton@hawkdefense.com>
Date: Tue, 10 May 2022 21:29:05 +0000
Subject: [PATCH] filtering out dnsZoneScope

---
 .../builtin/security/win_account_backdoor_dcsync_rights.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml
index 4fb27b2df..9218d3288 100644
--- a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml
+++ b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml
@@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn
     Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer
 status: experimental
 date: 2019/04/03
-modified: 2022/05/05
+modified: 2022/05/10
 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton
 references:
     - https://twitter.com/menasec1/status/1111556090137903104
@@ -24,7 +24,9 @@ detection:
          - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
          - '89e95b76-444d-4c62-991a-0facbeda640c'
     filter1:
-        ObjectType: 'dnsNode'
+        ObjectType:
+         - 'dnsNode'
+         - 'dnsZoneScope'
     condition: selection and not 1 of filter*
 falsepositives:
     - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account.