Potential ADIDNS Poisoning via Wildcard Record Creation

Active Directory Integrated DNS (ADIDNS) stores DNS zones as Active Directory objects, which, while providing access control and replication benefits, introduces security issues. A significant concern is the creation of wildcard records due to the default permission allowing any authenticated user to create DNS-named records. By exploiting this, attackers can establish wildcard records to redirect traffic for domain names lacking explicit DNS records, effectively positioning themselves as an adversary-in-the-middle. This manipulation of ADIDNS can lead to credential interception or relay attacks, similar to LLMNR/NBNS spoofing. This poses a high risk to organizations relying on ADIDNS for domain consistency and secure name resolution.

Attack Chain

1. Attacker authenticates to the domain.
2. Attacker leverages existing privileges to create a wildcard DNS record (A record) within an ADIDNS zone.
3. The wildcard record is created with a DN like DC=*,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com, where DC=* signifies the wildcard. Event ID 5137 is generated.
4. The wildcard record points to a malicious server controlled by the attacker.
5. A client attempts to resolve a domain name that does not have an explicit DNS record.
6. Due to the wildcard record, the DNS query resolves to the attacker’s malicious server.
7. The client connects to the attacker’s server, potentially exposing credentials or other sensitive information.
8. The attacker intercepts or relays the client’s traffic, gaining unauthorized access or control.

Impact

Successful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain control over systems within the affected domain. The impact includes unauthorized access to sensitive data, lateral movement within the network, and potential compromise of critical domain services. This can affect any organization using Active Directory Integrated DNS, leading to widespread disruption and data breaches.

Recommendation

• Enable “Audit Directory Service Changes” to generate the necessary Windows Security Event Logs (5137) for detecting ADIDNS wildcard record creation as described in the setup instructions.
• Deploy the Sigma rule “Potential ADIDNS Poisoning via Wildcard Record Creation” to detect the creation of wildcard DNS records in ADIDNS based on Windows Event ID 5137.
• Review and restrict ADIDNS permissions for DNS zones to limit wildcard-creation opportunities, focusing on authenticated-user create-child rights.
• Investigate any alerts generated by the Sigma rule, focusing on winlog.event_data.ObjectDN, user.name, and the originating session as outlined in the rule’s note field.