🐾 - πŸ”” DNS - Suspicious Dynamic update - remote record creation to Windows DNS Server πŸͺŸ - Possible DNS Server Compromised πŸ₯· - T1584.002- Check if legitimate client request

SID: 3301110Rev: 317 views
Sourcepawpatrules
CreatedJanuary 4, 2024
UpdatedMarch 17, 2024
Classificationmisc-attack
alert tcp-pkt any any -> $HOME_NET 53 (msg:"🐾 - πŸ”” DNS - Suspicious Dynamic update - remote record creation to Windows DNS Server πŸͺŸ - Possible DNS Server Compromised πŸ₯· - T1584.002- Check if legitimate client request "; flow:to_server, stateless; content:"|28 00 00 01 00 00 00 01 00 01|"; fast_pattern; content:"|00 06 00 01|"; content:"|08 67 73 73 2d 74 73 69 67 00|"; content:"|00 00 00 00|"; endswith; reference:url,https://attack.mitre.org/techniques/T1584/002/; reference:url,https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/; reference:url,https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/; reference:url,https://github.com/Kevin-Robertson/Powermad; metadata:created_at 2024_01_04, updated_at 2024_03_17, signature_severity Informational, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0042, mitre_tactic_name Resource_Development, mitre_technique_id T1584.002, mitre_technique_name Compromise_Infrastructure_DNS_Server; sid:3301110; rev:3; classtype:misc-attack;)

References

urlhttps://attack.mitre.org/techniques/T1584/002/
urlhttps://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/
urlhttps://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
urlhttps://github.com/Kevin-Robertson/Powermad

Metadata

created at2024_01_04
updated at2024_03_17
signature severityInformational
attack targetServer_Endpoint
affected productWindows_Server_32_64_Bit
mitre tactic idTA0042
mitre tactic nameResource_Development
mitre technique idT1584.002
mitre technique nameCompromise_Infrastructure_DNS_Server

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!