← Back to Explore
sigmahighHunting
New DNS ServerLevelPluginDll Installed
Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
Detection Query
selection:
TargetObject|endswith: \services\DNS\Parameters\ServerLevelPluginDll
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2017-05-08
Data Sources
windowsRegistry Set Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.persistenceattack.defense-evasionattack.t1574.001attack.t1112
Raw Content
title: New DNS ServerLevelPluginDll Installed
id: e61e8a88-59a9-451c-874e-70fcc9740d67
related:
- id: cbe51394-cd93-4473-b555-edf0144952d9
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-08-17
tags:
- attack.privilege-escalation
- attack.persistence
- attack.defense-evasion
- attack.t1574.001
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: selection
falsepositives:
- Unknown
level: high