From 778a35a57bf9d5a25694137829b14215dfdb70c9 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:28:43 -0300
Subject: [PATCH 1/2] [New Rule] Potential ADIDNS Poisoning via Wildcard Record
 Creation

---
 .../credential_access_adidns_wildcard.toml    | 82 +++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 rules/windows/credential_access_adidns_wildcard.toml

diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml
new file mode 100644
index 00000000000..22367c3315c
--- /dev/null
+++ b/rules/windows/credential_access_adidns_wildcard.toml
@@ -0,0 +1,82 @@
+[metadata]
+creation_date = "2024/03/26"
+integration = ["system", "windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and
+replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces
+some security issues, such as wildcard records, mainly because of the default permission to create DNS-named records.
+Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone,
+becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
+"""
+from = "now-9m"
+index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Potential ADIDNS Poisoning via Wildcard Record Creation"
+references = [
+    "https://www.netspi.com/blog/technical/network-penetration-testing/exploiting-adidns/",
+    "https://www.thehacker.recipes/a-d/movement/mitm-and-coerced-authentications/adidns-spoofing"
+]
+risk_score = 73
+rule_id = "8f242ffb-b191-4803-90ec-0f19942e17fd"
+setup = """## Setup
+
+The 'Audit Directory Service Changes' logging policy must be configured for (Success, Failure).
+Steps to implement the logging policy with Advanced Audit Configuration:
+
+```
+Computer Configuration >
+Policies >
+Windows Settings >
+Security Settings >
+Advanced Audit Policies Configuration >
+Audit Policies >
+DS Access >
+Audit Directory Service Changes (Success,Failure)
+```
+
+The above policy does not cover the target object by default (we still need it to be configured to generate events), so we need to set up an AuditRule using https://github.com/OTRF/Set-AuditRule.
+
+```
+Set-AuditRule -AdObjectPath 'AD:\\CN=MicrosoftDNS,DC=DomainDNSZones,DC=Domain,DC=com' -WellKnownSidType WorldSid -Rights CreateChild -InheritanceFlags Descendents -AttributeGUID e0fa1e8c-9b45-11d0-afdd-00c04fd930c9 -AuditFlags Success
+```
+"""
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Credential Access",
+    "Data Source: Active Directory",
+    "Use Case: Active Directory Monitoring"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+any where host.os.type == "windows" and event.action == "Directory Service Changes" and
+    event.code == "5137" and startsWith(winlog.event_data.ObjectDN, "DC=*,")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1557"
+name = "Adversary-in-the-Middle"
+reference = "https://attack.mitre.org/techniques/T1557/"
+
+
+
+[rule.threat.tactic]
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
+

From 4bc3e1b871abe0142ac4c8f3497ad57484501bd2 Mon Sep 17 00:00:00 2001
From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Date: Tue, 26 Mar 2024 11:34:01 -0300
Subject: [PATCH 2/2] Update credential_access_adidns_wildcard.toml

---
 rules/windows/credential_access_adidns_wildcard.toml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/rules/windows/credential_access_adidns_wildcard.toml b/rules/windows/credential_access_adidns_wildcard.toml
index 22367c3315c..2efd54755c8 100644
--- a/rules/windows/credential_access_adidns_wildcard.toml
+++ b/rules/windows/credential_access_adidns_wildcard.toml
@@ -11,9 +11,9 @@ author = ["Elastic"]
 description = """
 Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and
 replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces
-some security issues, such as wildcard records, mainly because of the default permission to create DNS-named records.
-Attackers can create wildcard records to redirect traffic that doesn't explicitly match records contained in the zone,
-becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
+some security issues, such as wildcard records, mainly because of the default permission (Any authenticated users) to
+create DNS-named records. Attackers can create wildcard records to redirect traffic that doesn't explicitly match
+records contained in the zone, becoming the Man-in-the-Middle and being able to abuse DNS similarly to LLMNR/NBNS spoofing.
 """
 from = "now-9m"
 index = ["winlogbeat-*", "logs-system.*", "logs-windows.*"]