Skip to content

[New Rule] Creation of a DNS-Named Record #3539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Mar 27, 2024
Merged

[New Rule] Creation of a DNS-Named Record #3539

merged 4 commits into from
Mar 27, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented Mar 26, 2024

Summary

Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.

Event Data

Event Data 
{
  "_index": ".ds-logs-system.security-default-2024.03.13-000023",
  "_id": "FbmZfI4B1-PCmUgAlUFI",
  "_version": 1,
  "_score": 0,
  "_source": {
    "input": {
      "type": "winlog"
    },
    "agent": {
      "name": "DC1",
      "id": "864e852b-44ba-4279-a13f-3276df8a2d95",
      "type": "filebeat",
      "ephemeral_id": "f7b65b5c-1b84-48b1-9dac-991ae292d3c8",
      "version": "8.12.2"
    },
    "@timestamp": "2024-03-26T21:10:20.991Z",
    "winlog": {
      "computer_name": "DC1.windomain.local",
      "process": {
        "pid": 716,
        "thread": {
          "id": 824
        }
      },
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x2d817f"
      },
      "channel": "Security",
      "event_data": {
        "SubjectUserName": "Administrator",
        "ObjectClass": "dnsNode",
        "ObjectDN": "DC=Test,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local",
        "OpCorrelationID": "{4d0ba21d-4c65-4ef1-957e-e65096ced78d}",
        "DSType": "%%14676",
        "DSName": "windomain.local",
        "ObjectGUID": "{42e1d468-2c4a-4470-a197-be0ed845120a}",
        "AppCorrelationID": "-",
        "SubjectDomainName": "WINDOMAIN",
        "SubjectLogonId": "0x2d817f",
        "SubjectUserSid": "S-1-5-21-3487213672-391124310-1193161923-500"
      },
      "opcode": "Info",
      "record_id": "892802",
      "task": "Directory Service Changes",
      "event_id": "5137",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "ecs": {
      "version": "8.0.0"
    },
    "log": {
      "level": "information"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "elastic_agent": {
      "id": "864e852b-44ba-4279-a13f-3276df8a2d95",
      "version": "8.12.2",
      "snapshot": false
    },
    "host": {
      "hostname": "dc1",
      "os": {
        "build": "20348.587",
        "kernel": "10.0.20348.587 (WinBuild.160101.0800)",
        "name": "Windows Server 2022 Datacenter Evaluation",
        "family": "windows",
        "type": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "fe80::d815:70c5:6eeb:862c",
        "192.168.94.100"
      ],
      "name": "dc1",
      "id": "69350a97-1de7-48e1-b6e4-c8b4aebcecba",
      "mac": [
        "00-0C-29-94-44-17"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-03-26T21:10:23Z",
      "code": "5137",
      "provider": "Microsoft-Windows-Security-Auditing",
      "created": "2024-03-26T21:10:22.990Z",
      "kind": "event",
      "action": "Directory Service Changes",
      "dataset": "system.security",
      "outcome": "success"
    },
    "message": "A directory service object was created.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3487213672-391124310-1193161923-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWINDOMAIN\n\tLogon ID:\t\t0x2D817F\n\t\nDirectory Service:\n\tName:\twindomain.local\n\tType:\tActive Directory Domain Services\n\t\nObject:\n\tDN:\tDC=Test,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local\n\tGUID:\t{42e1d468-2c4a-4470-a197-be0ed845120a}\n\tClass:\tdnsNode\n\t\nOperation:\n\tCorrelation ID:\t{4d0ba21d-4c65-4ef1-957e-e65096ced78d}\n\tApplication Correlation ID:\t-"
  },
  "fields": {
    "elastic_agent.version": [
      "8.12.2"
    ],
    "host.os.name.text": [
      "Windows Server 2022 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "winlog.event_data.DSType": [
      "%%14676"
    ],
    "host.hostname": [
      "dc1"
    ],
    "winlog.computer_name": [
      "DC1.windomain.local"
    ],
    "host.mac": [
      "00-0C-29-94-44-17"
    ],
    "winlog.process.pid": [
      716
    ],
    "winlog.event_data.AppCorrelationID": [
      "-"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "892802"
    ],
    "winlog.logon.id": [
      "0x2d817f"
    ],
    "host.os.name": [
      "Windows Server 2022 Datacenter Evaluation"
    ],
    "log.level": [
      "information"
    ],
    "agent.name": [
      "DC1"
    ],
    "host.name": [
      "dc1"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "host.os.type": [
      "windows"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "winlog.event_data.ObjectGUID": [
      "{42e1d468-2c4a-4470-a197-be0ed845120a}"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "5137"
    ],
    "agent.id": [
      "864e852b-44ba-4279-a13f-3276df8a2d95"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-03-26T21:10:22.990Z"
    ],
    "agent.version": [
      "8.12.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-21-3487213672-391124310-1193161923-500"
    ],
    "winlog.process.thread.id": [
      824
    ],
    "host.os.build": [
      "20348.587"
    ],
    "host.ip": [
      "fe80::d815:70c5:6eeb:862c",
      "192.168.94.100"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x2d817f"
    ],
    "host.os.kernel": [
      "10.0.20348.587 (WinBuild.160101.0800)"
    ],
    "winlog.event_data.DSName": [
      "windomain.local"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.id": [
      "69350a97-1de7-48e1-b6e4-c8b4aebcecba"
    ],
    "winlog.event_data.ObjectClass": [
      "dnsNode"
    ],
    "winlog.event_data.OpCorrelationID": [
      "{4d0ba21d-4c65-4ef1-957e-e65096ced78d}"
    ],
    "winlog.task": [
      "Directory Service Changes"
    ],
    "elastic_agent.id": [
      "864e852b-44ba-4279-a13f-3276df8a2d95"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "Administrator"
    ],
    "winlog.event_data.ObjectDN": [
      "DC=Test,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local"
    ],
    "message": [
      "A directory service object was created.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3487213672-391124310-1193161923-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWINDOMAIN\n\tLogon ID:\t\t0x2D817F\n\t\nDirectory Service:\n\tName:\twindomain.local\n\tType:\tActive Directory Domain Services\n\t\nObject:\n\tDN:\tDC=Test,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local\n\tGUID:\t{42e1d468-2c4a-4470-a197-be0ed845120a}\n\tClass:\tdnsNode\n\t\nOperation:\n\tCorrelation ID:\t{4d0ba21d-4c65-4ef1-957e-e65096ced78d}\n\tApplication Correlation ID:\t-"
    ],
    "winlog.event_id": [
      "5137"
    ],
    "event.action": [
      "Directory Service Changes"
    ],
    "event.ingested": [
      "2024-03-26T21:10:23.000Z"
    ],
    "@timestamp": [
      "2024-03-26T21:10:20.991Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "f7b65b5c-1b84-48b1-9dac-991ae292d3c8"
    ],
    "winlog.event_data.SubjectDomainName": [
      "WINDOMAIN"
    ],
    "event.dataset": [
      "system.security"
    ]
  }
}

@w0rk3r w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels Mar 26, 2024
@w0rk3r w0rk3r self-assigned this Mar 26, 2024
w0rk3r
w0rk3r commented Mar 27, 2024
View reviewed changes
@w0rk3r w0rk3r merged commit 954a93c into main Mar 27, 2024
@w0rk3r w0rk3r deleted the dns_nodedns_creation branch March 27, 2024 21:21
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
a7f919a 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
2077509 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
cbd897e 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
ae90b6c 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
f192a52 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
a7c4773 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
feb5020 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
f217aed 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
c871bbb 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
7a9f523 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
protectionsmachine pushed a commit that referenced this pull request Mar 27, 2024
@w0rk3r @github-actions
[New Rule] Creation of a DNS-Named Record (#3539)
df0aeef 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c)
@w0rk3r w0rk3r mentioned this pull request Mar 28, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Samirbous Samirbous Samirbous approved these changes

@Aegrah Aegrah Aegrah approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@w0rk3r @Samirbous @Aegrah