Sigma rules for CVE-2017-12074
2 rules · scoped to cve · back to CVE-2017-12074
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: DNS Server Error Failed Loading the ServerLevelPluginDLL
id: cbe51394-cd93-4473-b555-edf0144952d9
related:
- id: e61e8a88-59a9-451c-874e-70fcc9740d67
type: derived
- id: f63b56ee-3f79-4b8a-97fb-5c48007e8573
type: derived
status: test
description: Detects a DNS server error in which a specified plugin DLL (in registry) could not be loaded
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx
- https://twitter.com/gentilkiwi/status/861641945944391680
author: Florian Roth (Nextron Systems)
date: 2017-05-08
modified: 2023-02-05
tags:
- attack.privilege-escalation
- attack.persistence
- attack.execution
- attack.stealth
- attack.t1574.001
logsource:
product: windows
service: dns-server
detection:
selection:
EventID:
- 150
- 770
- 771
condition: selection
falsepositives:
- Unknown
level: high
title: DNS Server Discovery Via LDAP Query
id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e
status: test
description: Detects DNS server discovery via LDAP query requests from uncommon applications
references:
- https://github.com/redcanaryco/atomic-red-team/blob/980f3f83fd81f37c1ca9c02dccfd1c3d9f9d0841/atomics/T1016/T1016.md#atomic-test-9---dns-server-discovery-using-nslookup
- https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04
author: frack113
date: 2022-08-20
modified: 2023-09-18
tags:
- attack.discovery
- attack.t1482
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|startswith: '_ldap.'
filter_main_generic:
Image|contains:
- ':\Program Files\'
- ':\Program Files (x86)\'
- ':\Windows\'
filter_main_defender:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\MsMpEng.exe'
filter_main_unknown:
Image: '<unknown process>'
filter_optional_azure:
Image|startswith: 'C:\WindowsAzure\GuestAgent'
filter_main_null:
Image: null
filter_optional_browsers:
# Note: This list is for browsers installed in the user context. To avoid basic evasions based on image name. Best to baseline this list with the browsers you use internally and add their full paths.
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\opera.exe'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Likely
# Note: Incrase the level once a baseline is established
level: low