{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/active-directory-integrated-dns-adidns/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory Integrated DNS (ADIDNS)"],"_cs_severities":["high"],"_cs_tags":["credential-access","adidns","windows","active-directory"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eActive Directory Integrated DNS (ADIDNS) stores DNS zones as Active Directory objects, which, while providing access control and replication benefits, introduces security issues. A significant concern is the creation of wildcard records due to the default permission allowing any authenticated user to create DNS-named records. By exploiting this, attackers can establish wildcard records to redirect traffic for domain names lacking explicit DNS records, effectively positioning themselves as an adversary-in-the-middle. This manipulation of ADIDNS can lead to credential interception or relay attacks, similar to LLMNR/NBNS spoofing. This poses a high risk to organizations relying on ADIDNS for domain consistency and secure name resolution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the domain.\u003c/li\u003e\n\u003cli\u003eAttacker leverages existing privileges to create a wildcard DNS record (A record) within an ADIDNS zone.\u003c/li\u003e\n\u003cli\u003eThe wildcard record is created with a DN like \u003ccode\u003eDC=*,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com\u003c/code\u003e, where \u003ccode\u003eDC=*\u003c/code\u003e signifies the wildcard. Event ID 5137 is generated.\u003c/li\u003e\n\u003cli\u003eThe wildcard record points to a malicious server controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eA client attempts to resolve a domain name that does not have an explicit DNS record.\u003c/li\u003e\n\u003cli\u003eDue to the wildcard record, the DNS query resolves to the attacker\u0026rsquo;s malicious server.\u003c/li\u003e\n\u003cli\u003eThe client connects to the attacker\u0026rsquo;s server, potentially exposing credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or relays the client\u0026rsquo;s traffic, gaining unauthorized access or control.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept network traffic, steal credentials, and potentially gain control over systems within the affected domain. The impact includes unauthorized access to sensitive data, lateral movement within the network, and potential compromise of critical domain services. This can affect any organization using Active Directory Integrated DNS, leading to widespread disruption and data breaches.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Changes\u0026rdquo; to generate the necessary Windows Security Event Logs (5137) for detecting ADIDNS wildcard record creation as described in the \u003ca href=\"https://ela.st/audit-directory-service-changes\"\u003esetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential ADIDNS Poisoning via Wildcard Record Creation\u0026rdquo; to detect the creation of wildcard DNS records in ADIDNS based on Windows Event ID 5137.\u003c/li\u003e\n\u003cli\u003eReview and restrict ADIDNS permissions for DNS zones to limit wildcard-creation opportunities, focusing on authenticated-user create-child rights.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on \u003ccode\u003ewinlog.event_data.ObjectDN\u003c/code\u003e, \u003ccode\u003euser.name\u003c/code\u003e, and the originating session as outlined in the rule\u0026rsquo;s \u003ccode\u003enote\u003c/code\u003e field.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-03T14:58:00Z","date_published":"2024-05-03T14:58:00Z","id":"/briefs/2024-05-adidns-wildcard/","summary":"Attackers can create wildcard records in Active Directory Integrated DNS (ADIDNS) to redirect traffic, enabling adversary-in-the-middle attacks for credential interception or relay.","title":"Potential ADIDNS Poisoning via Wildcard Record Creation","url":"https://feed.craftedsignal.io/briefs/2024-05-adidns-wildcard/"}],"language":"en","title":"CraftedSignal Threat Feed — Active Directory Integrated DNS (ADIDNS)","version":"https://jsonfeed.org/version/1.1"}