From d078d47360c00849778d834ce0f491c836632be5 Mon Sep 17 00:00:00 2001
From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com>
Date: Wed, 14 Sep 2022 22:32:35 +0430
Subject: [PATCH] New Rule: Windows DNS Client Rule

---
 .../posh_ps_add_dnsclient_rule.yml            | 23 +++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
new file mode 100644
index 000000000..637bf65e2
--- /dev/null
+++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml
@@ -0,0 +1,23 @@
+title: Windows DNS Client Commands
+id: 4368354e-1797-463c-bc39-a309effbe8d7
+status: experimental
+description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query.
+references:
+    - https://twitter.com/NathanMcNulty/status/1569497348841287681
+    - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps
+author: Borna Talebi
+date: 2021/09/14
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script Block Logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains: Add-DnsClientNrptRule
+    condition: selection
+tags:
+    - attack.impact
+    - attack.t1565
+falsepositives:
+    - Unknown
+level: high