Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[New Rule] DNS Global Query Block List Modified or Disabled #3734

Merged
merged 3 commits into from
Jun 20, 2024
Merged

[New Rule] DNS Global Query Block List Modified or Disabled #3734

merged 3 commits into from
Jun 20, 2024

Conversation

w0rk3r
Copy link
Contributor

@w0rk3r w0rk3r commented May 31, 2024

Issues

Related to #3544 & #3005

Summary

Identifies changes to the DNS Global Query Block List (GQBL), a security feature that prevents the resolution of certain DNS names often exploited in attacks like WPAD spoofing. Attackers with certain privileges, such as DNSAdmins, can modify or disable the GQBL, allowing exploitation of hosts running WPAD with default settings for privilege escalation and lateral movement.

Data

Data 
{
  "_index": ".ds-logs-endpoint.events.registry-default-2024.05.13-000023",
  "_id": "5aWkz48B7lRF55sMgA9r",
  "_score": 1,
  "fields": {
    "host.os.full.text": [
      "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.5830)"
    ],
    "event.category": [
      "registry"
    ],
    "process.name.text": [
      "dns.exe"
    ],
    "host.os.name.text": [
      "Windows"
    ],
    "host.os.full": [
      "Windows Server 2019 Datacenter Evaluation 1809 (10.0.17763.5830)"
    ],
    "host.hostname": [
      "kingslanding"
    ],
    "process.pid": [
      1084
    ],
    "host.mac": [
      "00-0c-29-cb-31-64",
      "00-0c-29-cb-31-5a"
    ],
    "process.code_signature.exists": [
      true
    ],
    "elastic.agent.id": [
      "7e33b320-1a98-44c7-87be-726e903f3dd1"
    ],
    "registry.hive": [
      "HKLM"
    ],
    "process.code_signature.subject_name": [
      "Microsoft Windows"
    ],
    "host.os.version": [
      "1809 (10.0.17763.5830)"
    ],
    "process.thread.Ext.call_stack.symbol_info": [
      "C:\\Windows\\System32\\ntdll.dll!NtSetValueKey+0x14",
      "C:\\Windows\\System32\\KernelBase.dll!UnsubscribeFeatureUsageFlush+0x2ab3",
      "C:\\Windows\\System32\\KernelBase.dll!RegSetValueExW+0x20a",
      "C:\\Windows\\System32\\dns.exe+0x7e061",
      "C:\\Windows\\System32\\dns.exe+0xadc3b",
      "C:\\Windows\\System32\\dns.exe+0xb3493",
      "C:\\Windows\\System32\\dns.exe+0x89b88",
      "C:\\Windows\\System32\\dns.exe+0x89363",
      "C:\\Windows\\System32\\dns.exe+0x89286",
      "C:\\Windows\\System32\\rpcrt4.dll!NdrNsGetBuffer+0xd83",
      "C:\\Windows\\System32\\rpcrt4.dll!NdrClientCall3+0x265a",
      "C:\\Windows\\System32\\rpcrt4.dll!NdrServerCallAll+0x40",
      "C:\\Windows\\System32\\rpcrt4.dll!RpcExceptionFilter+0x38",
      "C:\\Windows\\System32\\rpcrt4.dll!NdrClientInitialize+0x33e0",
      "C:\\Windows\\System32\\rpcrt4.dll!NdrClientInitialize+0x2d8b",
      "C:\\Windows\\System32\\rpcrt4.dll!RpcBindingSetOption+0x5e3f",
      "C:\\Windows\\System32\\rpcrt4.dll!RpcBindingSetOption+0x529a",
      "C:\\Windows\\System32\\rpcrt4.dll!RpcBindingSetOption+0x4861",
      "C:\\Windows\\System32\\rpcrt4.dll!RpcBindingSetOption+0x42d2",
      "C:\\Windows\\System32\\rpcrt4.dll!NdrComplexArrayUnmarshall+0x2855",
      "C:\\Windows\\System32\\ntdll.dll!RtlpTimeToTimeFields+0x5a0",
      "C:\\Windows\\System32\\ntdll.dll!RtlAcquireSRWLockExclusive+0x6f8",
      "C:\\Windows\\System32\\kernel32.dll!BaseThreadInitThunk+0x14",
      "C:\\Windows\\System32\\ntdll.dll!RtlUserThreadStart+0x21"
    ],
    "host.os.name": [
      "Windows"
    ],
    "registry.key": [
      "SYSTEM\\ControlSet001\\Services\\DNS\\Parameters"
    ],
    "host.name": [
      "kingslanding"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "unknown"
    ],
    "process.code_signature.trusted": [
      true
    ],
    "registry.path": [
      "HKLM\\SYSTEM\\ControlSet001\\Services\\DNS\\Parameters\\GlobalQueryBlockList"
    ],
    "host.os.type": [
      "windows"
    ],
    "user.id": [
      "S-1-5-18"
    ],
    "process.Ext.ancestry": [
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTY2OC0xNzE3MTY2NjM2LjQxNTI0OTEwMA==",
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTUzMi0xNzE3MTY2NjM2LjMyNjE5NzkwMA=="
    ],
    "registry.data.strings": [
      "Isatap"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "process.name": [
      "dns.exe"
    ],
    "agent.id": [
      "7e33b320-1a98-44c7-87be-726e903f3dd1"
    ],
    "ecs.version": [
      "8.10.0"
    ],
    "event.created": [
      "2024-05-31T17:13:28.052Z"
    ],
    "agent.version": [
      "8.12.2"
    ],
    "registry.data.type": [
      "REG_MULTI_SZ"
    ],
    "host.os.family": [
      "windows"
    ],
    "process.thread.Ext.call_stack_summary": [
      "ntdll.dll|kernelbase.dll|dns.exe|rpcrt4.dll|ntdll.dll|kernel32.dll|ntdll.dll"
    ],
    "user.name": [
      "SYSTEM"
    ],
    "process.entity_id": [
      "N2UzM2IzMjAtMWE5OC00NGM3LTg3YmUtNzI2ZTkwM2YzZGQxLTEwODQtMTcxNzE2Nzg3OC41MTExMjQ5MDA="
    ],
    "event.sequence": [
      31097
    ],
    "host.ip": [
      "192.168.56.10",
      "fe80::8c38:f506:d825:d6e2",
      "192.168.133.136",
      "fe80::6d5a:2830:b81f:3127",
      "127.0.0.1",
      "::1"
    ],
    "process.executable.caseless": [
      "c:\\windows\\system32\\dns.exe"
    ],
    "agent.type": [
      "endpoint"
    ],
    "process.executable.text": [
      "C:\\Windows\\System32\\dns.exe"
    ],
    "event.module": [
      "endpoint"
    ],
    "host.os.kernel": [
      "1809 (10.0.17763.5830)"
    ],
    "host.os.full.caseless": [
      "windows server 2019 datacenter evaluation 1809 (10.0.17763.5830)"
    ],
    "user.domain": [
      "NT AUTHORITY"
    ],
    "host.id": [
      "b858c78f-843f-4fab-be54-219eb304c072"
    ],
    "process.name.caseless": [
      "dns.exe"
    ],
    "process.executable": [
      "C:\\Windows\\System32\\dns.exe"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "process.code_signature.status": [
      "trusted"
    ],
    "message": [
      "Endpoint registry event"
    ],
    "host.os.Ext.variant": [
      "Windows Server 2019 Datacenter Evaluation"
    ],
    "event.action": [
      "modification"
    ],
    "event.ingested": [
      "2024-05-31T17:13:35Z"
    ],
    "@timestamp": [
      "2024-05-31T17:13:28.052Z"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "endpoint.events.registry"
    ],
    "event.type": [
      "change"
    ],
    "process.Ext.code_signature": [
      {
        "trusted": [
          true
        ],
        "subject_name": [
          "Microsoft Windows"
        ],
        "exists": [
          true
        ],
        "status": [
          "trusted"
        ]
      }
    ],
    "event.id": [
      "NZbWGosQzOlpxygP+++++mct"
    ],
    "event.dataset": [
      "endpoint.events.registry"
    ],
    "host.os.name.caseless": [
      "windows"
    ],
    "registry.value": [
      "GlobalQueryBlockList"
    ],
    "user.name.text": [
      "SYSTEM"
    ]
  }
}

@w0rk3r w0rk3r added Rule: New Proposal for new rule OS: Windows windows related rules Domain: Endpoint backport: auto labels May 31, 2024
@w0rk3r w0rk3r self-assigned this May 31, 2024
This was referenced May 31, 2024
Closed
Closed
terrancedejesus
terrancedejesus approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@terrancedejesus terrancedejesus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice

@w0rk3r w0rk3r merged commit 6a0ac56 into main Jun 20, 2024
9 checks passed
@w0rk3r w0rk3r deleted the reg_dnsblocklist branch June 20, 2024 12:23
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#…
4d68cf1 
…3734)

(cherry picked from commit 6a0ac56)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#…
2f6a86c 
…3734)

(cherry picked from commit 6a0ac56)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#…
b0c0fa4 
…3734)

(cherry picked from commit 6a0ac56)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#…
72fab72 
…3734)

(cherry picked from commit 6a0ac56)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#…
079d2f3 
…3734)

(cherry picked from commit 6a0ac56)
protectionsmachine pushed a commit that referenced this pull request Jun 20, 2024
@w0rk3r @github-actions
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml (#…
22c8ddd 
…3734)

(cherry picked from commit 6a0ac56)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrancedejesus terrancedejesus terrancedejesus approved these changes

@Aegrah Aegrah Aegrah approved these changes

@Samirbous Samirbous Samirbous approved these changes

@brokensound77 brokensound77 Awaiting requested review from brokensound77

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

Assignees

@w0rk3r w0rk3r

Labels
backport: auto Domain: Endpoint OS: Windows windows related rules Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@w0rk3r @Samirbous @Aegrah @terrancedejesus