KQL Search

Query Details

HomeAI ToolsDevice Query

RULE 29 AD ADIDNS Wildcard Record Inject

Query

// =========================================================
// RULE-29 | AD-ADIDNS-Wildcard-Record-Inject
// Description : ADIDNS (AD-Integrated DNS) wildcard record
//               injection detection — Event 5137 (Directory
//               Service Object Created) showing a new
//               dnsNode object created with a wildcard (*)
//               name, a duplicate of an existing hostname,
//               or by a non-admin user in a DNS zone.
//               By default any authenticated domain user can
//               create DNS records via ADIDNS. Attackers
//               create wildcard records or pre-register
//               predictable names to:
//               - Capture all unresolved names (MITM)
//               - Force NTLM authentication to attacker IP
//               - Pre-stage "DNS time bombs" for future
//                 machine joins
// Severity    : High (new DNS record by non-admin)
//               Critical (wildcard record)
// Frequency   : Every 15 minutes, look-back 15 minutes
// MITRE       : T1557.001 — LLMNR/NBT-NS Poisoning and Relay
//               T1071.004 — DNS
// Tables      : SecurityEvent
// =========================================================

let LookBack = 15m;

// Admin groups allowed to create DNS records
let DNSAdminGroups = dynamic([
    "DNSAdmins", "Domain Admins", "Enterprise Admins",
    "Administrators", "SYSTEM"
]);

let AdminMembers = SecurityEvent
    | where TimeGenerated > ago(30d)
    | where EventID in (4728, 4732, 4756)
    | where TargetUserName has_any (DNSAdminGroups)
    | summarize by AdminMember = tolower(MemberName);

// DNS node creation events in DomainDnsZones or ForestDnsZones NC
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 5137
| where ObjectClass =~ "dnsNode"
    or (ObjectDN has_any ("DomainDnsZones", "ForestDnsZones", "_msdcs")
        and ObjectDN has "DC=")
| extend
    CreatorNorm      = tolower(SubjectUserName),
    RecordName       = extract(@"DC=([^,]+)", 1, ObjectDN),
    DNSZone          = extract(@"DC=([^,]+).*DnsZones", 0, ObjectDN),
    IsWildcard       = (ObjectDN has "DC=*," or RecordName == "*")
// Filter out admin creators
| join kind=leftanti (AdminMembers) on $left.CreatorNorm == $right.AdminMember
| where not(SubjectUserName has_any ("SYSTEM", "S-1-5-18"))
| extend
    Severity = case(
        IsWildcard,  "Critical",
        "High"
    ),
    WhySuspicious = strcat(
        iff(IsWildcard, "Wildcard_DNS_Record_MITM_Risk; ", ""),
        "ADIDNS_Record_Created_By_NonAdmin; ",
        "RecordName: ", RecordName, "; ",
        "Zone: ", DNSZone, "; ",
        "Creator: ", SubjectUserName, "@", SubjectDomainName
    )
| project
    TimeGenerated,
    Severity,
    WhySuspicious,
    SubjectUserName,
    SubjectDomainName,
    RecordName,
    DNSZone,
    ObjectDN,
    IsWildcard,
    Computer
| order by Severity asc, TimeGenerated desc

Explanation

This query is designed to detect suspicious activities related to the creation of DNS records in an Active Directory Integrated DNS (ADIDNS) environment. Here's a simplified explanation:

  1. Purpose: The query identifies potentially malicious DNS record creations, specifically focusing on wildcard records, duplicate hostnames, or records created by non-admin users. Such activities can be indicative of attempts to intercept network traffic or prepare for future attacks.

  2. Severity Levels:

    • Critical: If a wildcard DNS record is created, which can capture all unresolved names and potentially lead to man-in-the-middle attacks.
    • High: If a DNS record is created by a non-admin user, which is unusual and could indicate unauthorized access.

  3. Frequency: The query runs every 15 minutes and looks back over the previous 15 minutes to catch recent suspicious activities.

  4. Process:

    • It first identifies the members of admin groups who are allowed to create DNS records.
    • It then checks for DNS node creation events (Event ID 5137) within the last 15 minutes.
    • It filters out events where the creator is an admin, focusing on non-admin users.
    • It checks if the record is a wildcard or created by a non-admin, assigning a severity level accordingly.
    • It compiles a list of suspicious activities, detailing why they are suspicious, including the record name, DNS zone, and creator information.

  5. Output: The query produces a list of suspicious DNS record creation events, ordered by severity and time, providing details such as the creator's username, domain, record name, DNS zone, and whether the record is a wildcard.

This helps in identifying and responding to potential security threats in the DNS infrastructure of an organization.

Details

David Alonso profile picture

David Alonso

Released: March 24, 2026

Tables

SecurityEvent

Keywords

SecurityEventDNSAdminDomainUserComputer

Operators

letdynamictoloweragoinhas_anysummarizebywhere=~orextendextracthasjoinkind=leftantionnotcaseiffstrcatprojectorder bydescasc

Actions