Unsigned DLL Loaded by DNS Service

The detection rule identifies the loading of unusual DLLs by the Windows DNS Server process (dns.exe), potentially indicating the abuse of the ServerLevelPluginDll functionality, as described in public research and proof-of-concept code. This technique allows attackers to load arbitrary DLLs into the DNS service, leading to privilege escalation and remote code execution with SYSTEM privileges. The rule focuses on detecting unsigned or untrusted DLLs loaded by dns.exe, highlighting potential exploitation attempts and unauthorized modifications to the DNS service. Successful exploitation grants the attacker elevated privileges, allowing them to perform malicious actions on the system. The rule is designed for data generated by Elastic Defend and supports Sysmon Event ID 7 (Image Loaded) as an additional data source.

Attack Chain

1. An attacker gains initial access to the system through unspecified means.
2. The attacker modifies the DNS Server configuration to enable the loading of server-level plugin DLLs.
3. The attacker places a malicious, unsigned DLL in a location accessible to the DNS service.
4. The DNS service (dns.exe) loads the malicious DLL upon startup or configuration change.
5. The malicious DLL executes code within the context of the DNS service, inheriting SYSTEM privileges.
6. The attacker uses the elevated privileges to perform malicious actions, such as installing backdoors or modifying system settings.
7. The attacker maintains persistence by ensuring the malicious DLL is loaded on subsequent system restarts.

Impact

Successful exploitation allows attackers to execute arbitrary code with SYSTEM privileges, granting them complete control over the compromised system. This can lead to data theft, system corruption, or the installation of persistent backdoors. The impact includes potential privilege escalation, remote code execution, and complete system compromise.

Recommendation

• Deploy the Sigma rule “Unsigned DLL loaded by DNS Service” to your SIEM and tune for your environment.
• Ensure Sysmon Event ID 7 (Image Loaded) is enabled to provide the necessary data for the detection rule.
• Investigate any alerts generated by the Sigma rule by reviewing the DLL file path and code signature status.
• Regularly review and validate the DNS server configuration to ensure that only trusted DLLs are loaded.
• Implement code signing policies to prevent the loading of unsigned DLLs.