In this article:  

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This article explains how to use ADAudit Plus to detect a potential DNS Admin privilege escalation attack based on Sysmon event logs, understand the immediate remediation steps, and implement long-term prevention strategies.

Prerequisites  

• You must have administrator access to the ADAudit Plus web console.

• Sysmon (System Monitor) must be deployed and configured on your DNS servers (which are typically Domain Controllers).

• ADAudit Plus must be configured to collect and process Sysmon event logs from these servers.

Steps to follow  

The process for handling a DNS Admin Escalation attack involves detection, immediate remediation, and prevention.

Part 1: Detecting the attack  

1. Navigate to the Active Directory Tab > Attack Surface Analyzer > Threats > DNS Admin Escalation.

2. This report shows all detections related to a possible DNS Admin Escalation attack, where an attacker leverages the DNS server service to load a malicious DLL.

Part 2: Understanding the detection criteria  

ADAudit Plus detects a potential DNS Admin Escalation attack based on the following pattern from Sysmon logs:

• Description: An attacker injects a malicious DLL into the DNS service configuration. When the DNS service restarts, this DLL is loaded with SYSTEM-level privileges, which can lead to a full domain compromise.

• Detection logic (Sysmon):

• Event code equals 13 (RegistryValue Set).

• TargetObject contains SYSTEM\CurrentControlSet\Services\DNS\Parameters\ServerLevelPluginDll.

Part 3: Immediate remediation  

A DNS Admin Escalation detection indicates a severe compromise by an attacker with privileges to modify a Domain Controller's registry. Act immediately.

1. Do not restart the DNS Server: The attack is only fully successful upon the next restart of the DNS service. Do not restart the DNS server or the Domain Controller until the threat is removed.

2. Isolate the source machine: The report in ADAudit Plus will contain the process and user account that made the registry change. Identify the machine where this process ran and isolate it from the network.

3. Remove the malicious registry entry: On the targeted DNS server, navigate to the registry key HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\. Find the ServerLevelPluginDll value and delete it or clear its malicious data.

4. Delete the malicious DLL: The registry value points to the path of the malicious DLL file. Navigate to that path and delete the file.

5. Disable the compromised account: The user account that performed this action is compromised and has high privileges (e.g., membership in the DnsAdmins group). Disable the account immediately for investigation.

6. Investigate the initial compromise: Determine how the attacker gained the privileges to modify the registry on a Domain Controller. This indicates a significant pre-existing compromise that requires a broader forensic investigation.

Validation and confirmation  

• After remediation, monitor the DNS Admin Escalation report in ADAudit Plus to ensure no new attempts are made.

• Verify that the malicious registry value and DLL file have been successfully removed from the DNS server.

• Conduct a full investigation to ensure the attacker has been fully evicted from the network.

Tips  

The following best practices are critical for preventing DNS Admin Escalation attacks.

Principle of Least Privilege (PoLP)  

• Restrict DnsAdmins Group Membership: This attack can be performed by members of the DnsAdmins group. Strictly limit membership in this group and do not place standard users or service accounts in it unless absolutely necessary.

• Restrict Local Administrator Rights: Limit who has local administrator rights on Domain Controllers to only necessary Domain Admins.

Secure Privileged Accounts  

• Implement a Tiered Access Model: Ensure your most critical assets (Tier 0), like Domain Controllers, are only managed by dedicated Tier 0 administrator accounts.

• Use Privileged Access Management (PAM): Implement PAM solutions to control and monitor access to privileged accounts and provide just-in-time (JIT) access.

System Hardening and Monitoring  

• Harden Domain Controllers: Restrict who can log on locally or via RDP to Domain Controllers.

• Monitor Critical Registry Keys: In addition to the ADAudit Plus detection, use other tools to monitor for any changes to the HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ registry key on all DNS servers.

Related topics and articles  

• How to configure Attack Surface Analyzer in ADAudit Plus