Detection rules › Elastic
Creation of a DNS-Named Record
Active Directory Integrated DNS (ADIDNS) is one of the core components of AD DS, leveraging AD's access control and replication to maintain domain consistency. It stores DNS zones as AD objects, a feature that, while robust, introduces some security issues because of the default permission (Any authenticated users) to create DNS-named records. Attackers can perform Dynamic Spoofing attacks, where they monitor LLMNR/NBT-NS requests and create DNS-named records to target systems that are requested from multiple systems. They can also create specific records to target specific services, such as wpad, for spoofing attacks.
MITRE ATT&CK coverage
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5137 | A directory service object was created. |
Stages and Predicates
Stage 1: eql:any
not winlog.event_data.SubjectUserName:"*$" and winlog.event_data.ObjectClass:"dnsNode"Exclusions
Top-level NOT(...) conjuncts — predicates this rule actively suppresses.
| Stage | Field | Kind | Excluded values |
|---|---|---|---|
| 1 | user | ends_with | $ |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
winlog.event_data.ObjectClass | eq |
|