From e61c3864a46fc8811738bfbf0aa3acc7c26399b7 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 29 May 2024 15:07:35 -0300 Subject: [PATCH 1/4] [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll --- ...e_escalation_dns_serverlevelplugindll.toml | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 rules/windows/privilege_escalation_dns_serverlevelplugindll.toml diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml new file mode 100644 index 00000000000..794278186eb --- /dev/null +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -0,0 +1,55 @@ +[metadata] +creation_date = "2024/05/29" +integration = ["endpoint"] +maturity = "production" +updated_date = "2024/05/29" + +[rule] +author = ["Elastic"] +description = """ +Identifies unusual DLLs loaded by the DNS Server process, potentially indicating the abuse of the ServerLevelPluginDll +functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges. +""" +from = "now-9m" +index = ["logs-endpoint.events.library-*"] +language = "eql" +license = "Elastic License v2" +name = "Potential DNS Server Privilege Escalation via ServerLevelPluginDll" +references = [ + "https://cube0x0.github.io/Pocing-Beyond-DA/", + "https://adsecurity.org/?p=4064", + "https://github.com/gtworek/PSBits/tree/master/ServerLevelPluginDll" +] +risk_score = 47 +rule_id = "5d676480-9655-4507-adc6-4eec311efff8" +severity = "medium" +tags = [ + "Domain: Endpoint", + "OS: Windows", + "Use Case: Threat Detection", + "Tactic: Privilege Escalation", + "Data Source: Elastic Defend" +] +timestamp_override = "event.ingested" +type = "eql" + +query = ''' +library where host.os.type == "windows" and + process.name : "dns.exe" and + not dll.code_signature.subject_name : "Microsoft*" +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1068" +name = "Exploitation for Privilege Escalation" +reference = "https://attack.mitre.org/techniques/T1068/" + + +[rule.threat.tactic] +id = "TA0004" +name = "Privilege Escalation" +reference = "https://attack.mitre.org/tactics/TA0004/" + From ea51f6f4909eb6a4e65c90ab4e1138889016cc35 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 31 May 2024 11:36:08 -0300 Subject: [PATCH 2/4] Update privilege_escalation_dns_serverlevelplugindll.toml --- ...ilege_escalation_dns_serverlevelplugindll.toml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 794278186eb..9e14cf2249c 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -11,10 +11,10 @@ Identifies unusual DLLs loaded by the DNS Server process, potentially indicating functionality. This can lead to privilege escalation and remote code execution with SYSTEM privileges. """ from = "now-9m" -index = ["logs-endpoint.events.library-*"] +index = ["logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" -name = "Potential DNS Server Privilege Escalation via ServerLevelPluginDll" +name = "Unsigned DLL loaded by DNS Service" references = [ "https://cube0x0.github.io/Pocing-Beyond-DA/", "https://adsecurity.org/?p=4064", @@ -28,15 +28,18 @@ tags = [ "OS: Windows", "Use Case: Threat Detection", "Tactic: Privilege Escalation", - "Data Source: Elastic Defend" + "Data Source: Elastic Defend", + "Data Source: Sysmon" ] timestamp_override = "event.ingested" type = "eql" query = ''' -library where host.os.type == "windows" and - process.name : "dns.exe" and - not dll.code_signature.subject_name : "Microsoft*" +any where host.os.type == "windows" and event.category : ("library", "process") and + event.type : ("start", "change") and event.action : ("load", "Image loaded*") and + process.executable : "?:\\windows\\system32\\dns.exe" and + not ?dll.code_signature.trusted == "true" and + not file.code_signature.status != "Valid" ''' From fe31a002d89631e31131b5259ad686d0aec4bfdb Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Fri, 31 May 2024 11:37:48 -0300 Subject: [PATCH 3/4] Update privilege_escalation_dns_serverlevelplugindll.toml --- .../windows/privilege_escalation_dns_serverlevelplugindll.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index 9e14cf2249c..a9f57b17fe5 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -39,7 +39,7 @@ any where host.os.type == "windows" and event.category : ("library", "process") event.type : ("start", "change") and event.action : ("load", "Image loaded*") and process.executable : "?:\\windows\\system32\\dns.exe" and not ?dll.code_signature.trusted == "true" and - not file.code_signature.status != "Valid" + not file.code_signature.status == "Valid" ''' From 7675980b298b9c84c58f105f9707c02f08958211 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Mon, 3 Jun 2024 10:13:52 -0300 Subject: [PATCH 4/4] Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml --- .../windows/privilege_escalation_dns_serverlevelplugindll.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml index a9f57b17fe5..20aa16f0d5b 100644 --- a/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml +++ b/rules/windows/privilege_escalation_dns_serverlevelplugindll.toml @@ -38,7 +38,7 @@ query = ''' any where host.os.type == "windows" and event.category : ("library", "process") and event.type : ("start", "change") and event.action : ("load", "Image loaded*") and process.executable : "?:\\windows\\system32\\dns.exe" and - not ?dll.code_signature.trusted == "true" and + not ?dll.code_signature.trusted == true and not file.code_signature.status == "Valid" '''