[New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation

[w0rk3r]

Summary

Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and
replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces
some security issues, such as wildcard records, mainly because of the default permission to create DNS-named records.
Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone,
becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.

Event Data

{
  "_index": ".ds-logs-system.security-default-2024.03.13-000023",
  "_id": "5nAfe44B1-PCmUgATpBK",
  "_version": 1,
  "_score": 0,
  "_source": {
    "input": {
      "type": "winlog"
    },
    "agent": {
      "name": "DC1",
      "id": "864e852b-44ba-4279-a13f-3276df8a2d95",
      "type": "filebeat",
      "ephemeral_id": "f7b65b5c-1b84-48b1-9dac-991ae292d3c8",
      "version": "8.12.2"
    },
    "@timestamp": "2024-03-26T14:17:05.722Z",
    "winlog": {
      "computer_name": "DC1.windomain.local",
      "process": {
        "pid": 716,
        "thread": {
          "id": 824
        }
      },
      "keywords": [
        "Audit Success"
      ],
      "logon": {
        "id": "0x2d817f"
      },
      "channel": "Security",
      "event_data": {
        "SubjectUserName": "Administrator",
        "ObjectClass": "dnsNode",
        "ObjectDN": "DC=*,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local",
        "OpCorrelationID": "{2bad8c51-7e35-4990-897c-ae5e1e156612}",
        "ObjectGUID": "{6251ec3f-e1d0-48f1-a3e9-7fa622496264}",
        "AppCorrelationID": "-",
        "DSType": "%%14676",
        "DSName": "windomain.local",
        "SubjectDomainName": "WINDOMAIN",
        "SubjectLogonId": "0x2d817f",
        "SubjectUserSid": "S-1-5-21-3487213672-391124310-1193161923-500"
      },
      "opcode": "Info",
      "record_id": "787371",
      "event_id": "5137",
      "task": "Directory Service Changes",
      "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}",
      "api": "wineventlog",
      "provider_name": "Microsoft-Windows-Security-Auditing"
    },
    "ecs": {
      "version": "8.0.0"
    },
    "log": {
      "level": "information"
    },
    "data_stream": {
      "namespace": "default",
      "type": "logs",
      "dataset": "system.security"
    },
    "elastic_agent": {
      "id": "864e852b-44ba-4279-a13f-3276df8a2d95",
      "version": "8.12.2",
      "snapshot": false
    },
    "host": {
      "hostname": "dc1",
      "os": {
        "build": "20348.587",
        "kernel": "10.0.20348.587 (WinBuild.160101.0800)",
        "name": "Windows Server 2022 Datacenter Evaluation",
        "type": "windows",
        "family": "windows",
        "version": "10.0",
        "platform": "windows"
      },
      "ip": [
        "192.168.94.100"
      ],
      "name": "dc1",
      "id": "69350a97-1de7-48e1-b6e4-c8b4aebcecba",
      "mac": [
        "00-0C-29-94-44-17"
      ],
      "architecture": "x86_64"
    },
    "event": {
      "agent_id_status": "verified",
      "ingested": "2024-03-26T14:17:13Z",
      "code": "5137",
      "provider": "Microsoft-Windows-Security-Auditing",
      "created": "2024-03-26T14:17:06.781Z",
      "kind": "event",
      "action": "Directory Service Changes",
      "dataset": "system.security",
      "outcome": "success"
    },
    "message": "A directory service object was created.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3487213672-391124310-1193161923-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWINDOMAIN\n\tLogon ID:\t\t0x2D817F\n\t\nDirectory Service:\n\tName:\twindomain.local\n\tType:\tActive Directory Domain Services\n\t\nObject:\n\tDN:\tDC=*,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local\n\tGUID:\t{6251ec3f-e1d0-48f1-a3e9-7fa622496264}\n\tClass:\tdnsNode\n\t\nOperation:\n\tCorrelation ID:\t{2bad8c51-7e35-4990-897c-ae5e1e156612}\n\tApplication Correlation ID:\t-"
  },
  "fields": {
    "elastic_agent.version": [
      "8.12.2"
    ],
    "host.os.name.text": [
      "Windows Server 2022 Datacenter Evaluation"
    ],
    "winlog.provider_guid": [
      "{54849625-5478-4994-a5ba-3e3b0328c30d}"
    ],
    "winlog.provider_name": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "winlog.event_data.DSType": [
      "%%14676"
    ],
    "host.hostname": [
      "dc1"
    ],
    "winlog.computer_name": [
      "DC1.windomain.local"
    ],
    "host.mac": [
      "00-0C-29-94-44-17"
    ],
    "winlog.process.pid": [
      716
    ],
    "winlog.event_data.AppCorrelationID": [
      "-"
    ],
    "host.os.version": [
      "10.0"
    ],
    "winlog.keywords": [
      "Audit Success"
    ],
    "winlog.record_id": [
      "787371"
    ],
    "winlog.logon.id": [
      "0x2d817f"
    ],
    "host.os.name": [
      "Windows Server 2022 Datacenter Evaluation"
    ],
    "log.level": [
      "information"
    ],
    "agent.name": [
      "DC1"
    ],
    "host.name": [
      "dc1"
    ],
    "event.agent_id_status": [
      "verified"
    ],
    "event.kind": [
      "event"
    ],
    "event.outcome": [
      "success"
    ],
    "host.os.type": [
      "windows"
    ],
    "input.type": [
      "winlog"
    ],
    "data_stream.type": [
      "logs"
    ],
    "host.architecture": [
      "x86_64"
    ],
    "winlog.event_data.ObjectGUID": [
      "{6251ec3f-e1d0-48f1-a3e9-7fa622496264}"
    ],
    "event.provider": [
      "Microsoft-Windows-Security-Auditing"
    ],
    "event.code": [
      "5137"
    ],
    "agent.id": [
      "864e852b-44ba-4279-a13f-3276df8a2d95"
    ],
    "ecs.version": [
      "8.0.0"
    ],
    "event.created": [
      "2024-03-26T14:17:06.781Z"
    ],
    "agent.version": [
      "8.12.2"
    ],
    "host.os.family": [
      "windows"
    ],
    "winlog.event_data.SubjectUserSid": [
      "S-1-5-21-3487213672-391124310-1193161923-500"
    ],
    "winlog.process.thread.id": [
      824
    ],
    "host.os.build": [
      "20348.587"
    ],
    "host.ip": [
      "192.168.94.100"
    ],
    "agent.type": [
      "filebeat"
    ],
    "event.module": [
      "system"
    ],
    "winlog.event_data.SubjectLogonId": [
      "0x2d817f"
    ],
    "host.os.kernel": [
      "10.0.20348.587 (WinBuild.160101.0800)"
    ],
    "winlog.event_data.DSName": [
      "windomain.local"
    ],
    "winlog.api": [
      "wineventlog"
    ],
    "elastic_agent.snapshot": [
      false
    ],
    "host.id": [
      "69350a97-1de7-48e1-b6e4-c8b4aebcecba"
    ],
    "winlog.event_data.ObjectClass": [
      "dnsNode"
    ],
    "winlog.event_data.OpCorrelationID": [
      "{2bad8c51-7e35-4990-897c-ae5e1e156612}"
    ],
    "winlog.task": [
      "Directory Service Changes"
    ],
    "elastic_agent.id": [
      "864e852b-44ba-4279-a13f-3276df8a2d95"
    ],
    "data_stream.namespace": [
      "default"
    ],
    "winlog.event_data.SubjectUserName": [
      "Administrator"
    ],
    "winlog.event_data.ObjectDN": [
      "DC=*,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local"
    ],
    "message": [
      "A directory service object was created.\n\t\nSubject:\n\tSecurity ID:\t\tS-1-5-21-3487213672-391124310-1193161923-500\n\tAccount Name:\t\tAdministrator\n\tAccount Domain:\t\tWINDOMAIN\n\tLogon ID:\t\t0x2D817F\n\t\nDirectory Service:\n\tName:\twindomain.local\n\tType:\tActive Directory Domain Services\n\t\nObject:\n\tDN:\tDC=*,DC=windomain.local,CN=MicrosoftDNS,DC=DomainDNSZones,DC=windomain,DC=local\n\tGUID:\t{6251ec3f-e1d0-48f1-a3e9-7fa622496264}\n\tClass:\tdnsNode\n\t\nOperation:\n\tCorrelation ID:\t{2bad8c51-7e35-4990-897c-ae5e1e156612}\n\tApplication Correlation ID:\t-"
    ],
    "winlog.event_id": [
      "5137"
    ],
    "event.action": [
      "Directory Service Changes"
    ],
    "event.ingested": [
      "2024-03-26T14:17:13.000Z"
    ],
    "@timestamp": [
      "2024-03-26T14:17:05.722Z"
    ],
    "winlog.channel": [
      "Security"
    ],
    "host.os.platform": [
      "windows"
    ],
    "data_stream.dataset": [
      "system.security"
    ],
    "winlog.opcode": [
      "Info"
    ],
    "agent.ephemeral_id": [
      "f7b65b5c-1b84-48b1-9dac-991ae292d3c8"
    ],
    "winlog.event_data.SubjectDomainName": [
      "WINDOMAIN"
    ],
    "event.dataset": [
      "system.security"
    ]
  }
}

[Aegrah]

Left suggestions; LGTM.