[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll #3717

w0rk3r · 2024-05-29T18:14:40Z

Issues

Part of #3005

Summary

Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges.

Data

Local DLL

{
  "_index": ".ds-logs-endpoint.events.library-default-2024.05.13-000023",
  "_id": "f0f8xI8B7lRF55sM_U-d",
  "_score": 1,
  "fields": {
    "host.os.full.text": [
      "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.5830)"
    ],
    "dll.hash.md5": [
      "33a2855a13d9604a7f633877d31d367c"
    ],
    "event.category": [
      "library"
    ],
    "process.name.text": [
      "dns.exe"
    ],
    "host.os.name.text": [
      "Windows"
    ],
    "host.os.full": [
      "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.5830)"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "process.pid": [
      8396
    ],
    "dll.code_signature.exists": [
      false
    ],
    "host.mac": [
      "00-0c-29-cb-31-64",
      "00-0c-29-cb-31-5a"
    ],
    "process.code_signature.exists": [
      true
    ],
    "elastic.agent.id": [
      "7e33b320-1a98-44c7-87be-726e903f3dd1"
    ],
    "dll.hash.sha256": [
      "92f130fbe6ad685d616742d4c60296800f0bff62a61f56a010b26e243e2b6e62"
    ],
    "process.code_signature.subject_name": [
      "Microsoft Windows"
    ],
    "host.os.version": [
      "1809 (10.0.17763.5830)"
    ],
    "host.os.name": [
      "Windows"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "process.code_signature.trusted": [
      true
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-18"
    ],
    "process.Ext.ancestry": [
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTY3Mi0xNzE2OTk0NTU0LjM2MTg1NjMwMA==",
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTUzMi0xNzE2OTk0NTU0LjMwNzkwMTcwMA=="
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "dns.exe"
    ],
    "agent.id": [
      "7e33b320-1a98-44c7-87be-726e903f3dd1"
    ],
    "ecs.version": [
      "8.10.0"
    ],
    "dll.Ext.relative_file_name_modify_time": [
      56.4623431
    ],
    "event.created": [
      "2024-05-29T15:34:08.557Z"
    ],
    "agent.version": [
      "8.12.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "dll.name": [
      "DNSMon.dll"
    ],
    "user.name": [
      "SYSTEM"
    ],
    "dll.Ext.relative_file_creation_time": [
      3818.5578636
    ],
    "process.entity_id": [
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTgzOTYtMTcxNjk5Njg0OC40MDA4MjIwMDA="
    ],
    "event.sequence": [
      19719
    ],
    "host.ip": [
      "192.168.56.10",
      "fe80::8c38:f506:d825:d6e2",
      "192.168.133.136",
      "fe80::6d5a:2830:b81f:3127",
      "127.0.0.1",
      "::1"
    ],
    "process.executable.caseless": [
      "c:\\windows\\system32\\dns.exe"
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "C:\\Windows\\System32\\dns.exe"
    ],
    "dll.hash.sha1": [
      "7ef32dc8c9e13860df02d511b2613e28214efff6"
    ],
    "event.module": [
      "endpoint"
    ],
    "host.os.kernel": [
      "1809 (10.0.17763.5830)"
    ],
    "host.os.full.caseless": [
      "windows server 2019 datacenter evaluation 1809 (10.0.17763.5830)"
    ],
    "process.uptime": [
      0
    ],
    "user.domain": [
      "NT AUTHORITY"
    ],
    "host.id": [
      "b858c78f-843f-4fab-be54-219eb304c072"
    ],
    "process.name.caseless": [
      "dns.exe"
    ],
    "process.executable": [
      "C:\\Windows\\System32\\dns.exe"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "process.code_signature.status": [
      "trusted"
    ],
    "dll.Ext.size": [
      117248
    ],
    "message": [
      "Endpoint DLL load event"
    ],
    "dll.path": [
      "C:\\Users\\vagrant\\Desktop\\DNSMon.dll"
    ],
    "host.os.Ext.variant": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "event.action": [
      "load"
    ],
    "event.ingested": [
      "2024-05-29T15:34:25Z"
    ],
    "@timestamp": [
      "2024-05-29T15:34:08.557Z"
    ],
    "host.os.platform": [
      "windows"
    ],
    "dll.Ext.load_index": [
      1
    ],
    "data_stream.dataset": [
      "endpoint.events.library"
    ],
    "event.type": [
      "start"
    ],
    "process.Ext.code_signature": [
      {
        "trusted": [
          true
        ],
        "subject_name": [
          "Microsoft Windows"
        ],
        "exists": [
          true
        ],
        "status": [
          "trusted"
        ]
      }
    ],
    "event.id": [
      "NZR056csaTF3atko+++++cAx"
    ],
    "event.dataset": [
      "endpoint.events.library"
    ],
    "host.os.name.caseless": [
      "windows"
    ],
    "dll.pe.imphash": [
      "ae7de2cb23363601a4d34fc41751caef"
    ],
    "user.name.text": [
      "SYSTEM"
    ]
  }
}

Remote DLL

{
  "_index": ".ds-logs-endpoint.events.library-default-2024.05.13-000023",
  "_id": "bWxixY8B7lRF55sMPIPY",
  "_score": 1,
  "fields": {
    "host.os.full.text": [
      "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.5830)"
    ],
    "dll.hash.md5": [
      ""
    ],
    "event.category": [
      "library"
    ],
    "process.name.text": [
      "dns.exe"
    ],
    "host.os.name.text": [
      "Windows"
    ],
    "host.os.full": [
      "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.5830)"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "process.pid": [
      10592
    ],
    "dll.code_signature.exists": [
      false
    ],
    "host.mac": [
      "00-0c-29-cb-31-64",
      "00-0c-29-cb-31-5a"
    ],
    "process.code_signature.exists": [
      true
    ],
    "dll.code_signature.status": [
      "errorCode_endpoint: Initital state, no attempt to load signature was made"
    ],
    "elastic.agent.id": [
      "7e33b320-1a98-44c7-87be-726e903f3dd1"
    ],
    "dll.hash.sha256": [
      ""
    ],
    "process.code_signature.subject_name": [
      "Microsoft Windows"
    ],
    "host.os.version": [
      "1809 (10.0.17763.5830)"
    ],
    "host.os.name": [
      "Windows"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "process.code_signature.trusted": [
      true
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-18"
    ],
    "process.Ext.ancestry": [
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTY3Mi0xNzE2OTk0NTU0LjM2MTg1NjMwMA==",
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTUzMi0xNzE2OTk0NTU0LjMwNzkwMTcwMA=="
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "dns.exe"
    ],
    "agent.id": [
      "7e33b320-1a98-44c7-87be-726e903f3dd1"
    ],
    "ecs.version": [
      "8.10.0"
    ],
    "event.created": [
      "2024-05-29T17:24:42.691Z"
    ],
    "agent.version": [
      "8.12.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "dll.name": [
      "DNSMon.dll"
    ],
    "user.name": [
      "SYSTEM"
    ],
    "dll.Ext.relative_file_creation_time": [
      10452.6916095
    ],
    "process.entity_id": [
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTEwNTkyLTE3MTcwMDM0NzEuMjQ3MzIzMDAw"
    ],
    "event.sequence": [
      35799
    ],
    "host.ip": [
      "192.168.56.10",
      "fe80::8c38:f506:d825:d6e2",
      "192.168.133.136",
      "fe80::6d5a:2830:b81f:3127",
      "127.0.0.1",
      "::1"
    ],
    "process.executable.caseless": [
      "c:\\windows\\system32\\dns.exe"
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "C:\\Windows\\System32\\dns.exe"
    ],
    "dll.hash.sha1": [
      ""
    ],
    "event.module": [
      "endpoint"
    ],
    "host.os.kernel": [
      "1809 (10.0.17763.5830)"
    ],
    "host.os.full.caseless": [
      "windows server 2019 datacenter evaluation 1809 (10.0.17763.5830)"
    ],
    "process.uptime": [
      11
    ],
    "user.domain": [
      "NT AUTHORITY"
    ],
    "host.id": [
      "b858c78f-843f-4fab-be54-219eb304c072"
    ],
    "process.name.caseless": [
      "dns.exe"
    ],
    "process.executable": [
      "C:\\Windows\\System32\\dns.exe"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "process.code_signature.status": [
      "trusted"
    ],
    "dll.Ext.size": [
      117248
    ],
    "message": [
      "Endpoint DLL load event"
    ],
    "dll.path": [
      "\\Device\\Mup\\WINTERFELL\\Users\\robb.stark\\Desktop\\DNSMon.dll"
    ],
    "host.os.Ext.variant": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "event.action": [
      "load"
    ],
    "event.ingested": [
      "2024-05-29T17:25:00Z"
    ],
    "@timestamp": [
      "2024-05-29T17:24:42.691Z"
    ],
    "host.os.platform": [
      "windows"
    ],
    "dll.Ext.load_index": [
      1
    ],
    "data_stream.dataset": [
      "endpoint.events.library"
    ],
    "event.type": [
      "start"
    ],
    "process.Ext.code_signature": [
      {
        "trusted": [
          true
        ],
        "subject_name": [
          "Microsoft Windows"
        ],
        "exists": [
          true
        ],
        "status": [
          "trusted"
        ]
      }
    ],
    "event.id": [
      "NZR056csaTF3atko++++/+BX"
    ],
    "event.dataset": [
      "endpoint.events.library"
    ],
    "host.os.name.caseless": [
      "windows"
    ],
    "dll.pe.imphash": [
      ""
    ],
    "user.name.text": [
      "SYSTEM"
    ]
  }
}

…luginDll

rules/windows/privilege_escalation_dns_serverlevelplugindll.toml

Aegrah

Two questions but looks good to me! Approving as I know you will consider the questions anyways.

rules/windows/privilege_escalation_dns_serverlevelplugindll.toml

terrancedejesus

Added a question about expanding scope a bit. Otherwise, looks good!

…luginDll (#3717) * [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll * Update privilege_escalation_dns_serverlevelplugindll.toml * Update privilege_escalation_dns_serverlevelplugindll.toml * Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit 4eff7c6)

[New Rule] Potential DNS Server Privilege Escalation via ServerLevelP…

e61c386

…luginDll

w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels May 29, 2024

w0rk3r requested review from brokensound77, DefSecSentinel, Samirbous, Aegrah and terrancedejesus May 29, 2024 18:14

w0rk3r self-assigned this May 29, 2024

w0rk3r commented May 29, 2024

View reviewed changes

rules/windows/privilege_escalation_dns_serverlevelplugindll.toml Outdated Show resolved Hide resolved

w0rk3r mentioned this pull request May 29, 2024

[Meta] Explore Detection Opportunities on Active Directory Default Groups Abuse #3005

Closed

Aegrah approved these changes May 30, 2024

View reviewed changes

rules/windows/privilege_escalation_dns_serverlevelplugindll.toml Outdated Show resolved Hide resolved

Samirbous reviewed May 30, 2024

View reviewed changes

Update privilege_escalation_dns_serverlevelplugindll.toml

ea51f6f

w0rk3r requested a review from Samirbous May 31, 2024 14:36

Update privilege_escalation_dns_serverlevelplugindll.toml

fe31a00

w0rk3r requested a review from Aegrah May 31, 2024 14:46

Aegrah approved these changes May 31, 2024

View reviewed changes

w0rk3r commented Jun 3, 2024

View reviewed changes

rules/windows/privilege_escalation_dns_serverlevelplugindll.toml Outdated Show resolved Hide resolved

w0rk3r added 2 commits June 3, 2024 10:13

Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml

7675980

Merge branch 'main' into dns_lib

6c4d568

Samirbous approved these changes Jun 3, 2024

View reviewed changes

Samirbous and others added 2 commits June 3, 2024 17:52

Merge branch 'main' into dns_lib

93ac2dc

Merge branch 'main' into dns_lib

c8367ca

terrancedejesus reviewed Jun 11, 2024

View reviewed changes

rules/windows/privilege_escalation_dns_serverlevelplugindll.toml Show resolved Hide resolved

terrancedejesus approved these changes Jun 11, 2024

View reviewed changes

w0rk3r added 2 commits June 12, 2024 08:07

Merge branch 'main' into dns_lib

9b9032b

Merge branch 'main' into dns_lib

7650867

Merge branch 'main' into dns_lib

562fb20

w0rk3r merged commit 4eff7c6 into main Jun 12, 2024
9 checks passed

w0rk3r deleted the dns_lib branch June 12, 2024 18:18

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll #3717

[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll #3717

w0rk3r commented May 29, 2024

Aegrah left a comment

terrancedejesus left a comment

[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll #3717

[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll #3717

Conversation

w0rk3r commented May 29, 2024

Issues

Summary

Data

Local DLL

Remote DLL

Aegrah left a comment

Choose a reason for hiding this comment

terrancedejesus left a comment

Choose a reason for hiding this comment