detection.wiki

Detection rules › Sigma

Member added to DNSadmin group

Status
experimental
Severity
high
Log source
product windows, service security
Author
mdecrevoisier
Source
github.com/mdecrevoisier/SIGMA-detection-rules

Detects scenarios where a suspicious change is done on DNSadmin group in order to abuse DNSadmin privileges for DLL load.

MITRE ATT&CK coverage

TacticTechniques
PersistenceT1098 Account Manipulation

Event coverage

ProviderEventTitle
Security-AuditingEvent ID 4728A member was added to a security-enabled global group.
Security-AuditingEvent ID 4732A member was added to a security-enabled local group.
Security-AuditingEvent ID 4756A member was added to a security-enabled universal group.

Rule body yaml

title: Member added to DNSadmin group
description: Detects scenarios where a suspicious change is done on DNSadmin group in order to abuse DNSadmin privileges for DLL load.
references:
- https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0003-Persistence/T1098.xxx-Account%20manipulation
- http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
- https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-dnsadmins-to-system-to-domain-compromise
- http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://medium.com/r3d-buck3t/escalating-privileges-with-dnsadmins-group-active-directory-6f7adbc7005b
- https://medium.com/techzap/dns-admin-privesc-in-active-directory-ad-windows-ecc7ed5a21a2
- https://phackt.com/dnsadmins-group-exploitation-write-permissions
tags:
- attack.persistence
- attack.t1098
author: mdecrevoisier
status: experimental
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID:
      - 4728 # security global group member added
      - 4756 # universal group member added
      - 4732 # local and domain local group member added > group below is per default with this group type
    TargetUserName: DnsAdmins # Group SID is random
  condition: selection
falsepositives:
- Rare administrator activity
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
  EventID:
    - 4728
    - 4756
    - 4732
  TargetUserName: DnsAdmins

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetUserNameeq
  • DnsAdmins corpus 2 (sigma 1, splunk 1)