Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / DNS

ADIDNS Poisoning

This note documents detection patterns related to ADIDNS Poisoning within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
Security5136Directory object modifiedCriticalModification or creation of DNS records in Active Directory Integrated DNS zones.
Security4662Operation performed on objectHighLDAP operations modifying DNS node objects.
Security5145Network share object checkedMediumAccess to DNS configuration files or zone data.
Sysmon1Process creationMediumExecution of tools modifying DNS records.
Sysmon3Network connectionMediumLDAP or RPC communication with domain controllers for DNS modification.
DNS Server Log257Dynamic DNS updateCriticalCreation or modification of DNS record in AD zone.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
Unexpected DNS record creationNew A or CNAME records pointing to attacker-controlled hostsCriticalTypical poisoning indicator.
DNS records created by user accountsNon-admin account creating DNS entriesHighOften indicates abuse of default permissions.
DNS entries resolving to internal attacker hostDNS record pointing to workstation IPHighUsed for relay or credential capture.
Rapid DNS modificationsMultiple DNS node updates in short timeMediumPossible automated attack.
DNS records targeting authentication servicesRecords pointing to LDAP/SMB servicesHighUsed to redirect authentication traffic.

Common Tools

ToolUsage
dnstool.pyAdds or modifies DNS records in AD-integrated zones.
PowermadCreates machine accounts and DNS records.
PowerViewUsed to manipulate ADIDNS entries.
ImpacketProvides scripts for DNS manipulation.
ADSIEditManual modification of DNS node objects.

Relevant Artifacts

  • Domain controller Security logs (5136, 4662)
  • DNS server logs
  • Active Directory object metadata
  • LDAP modification logs
  • Sysmon logs (1, 3)
  • EDR telemetry identifying AD manipulation tools
  • DNS query logs
  • Prefetch artifacts for DNS manipulation tooling

MITRE ATT&CK References

  • T1565 Data Manipulation
  • T1565.001 Stored Data Manipulation
  • T1046 Network Service Discovery

Decision Tree

  1. Is the suspicious event present?
    • Identify DNS record creation or modification events.
  2. What host generated the event?
    • Determine workstation performing DNS update.
  3. Is the account expected to perform this action?
    • Investigate whether account normally manages DNS.
  4. Pivot:
    • Source host → inspect execution of dnstool or Powermad.
    • DNS record → determine target IP address and service.
    • Network → analyze authentication attempts using poisoned record.
  5. Confirm exploitation
    • Determine whether DNS poisoning redirected authentication or traffic.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 5136
| where ObjectDN contains "DC=DomainDnsZones"

DnsEvents
| summarize count() by Name, IPAddresses, bin(TimeGenerated,5m)

EQL

any where event.code == "5136"

Sigma

title: Suspicious ADIDNS Record Modification
id: adidns-poisoning-detection
status: experimental
description: Detects modifications to AD-integrated DNS records
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 5136
  condition: selection
fields:
  - SubjectUserName
  - ObjectDN
falsepositives:
  - Legitimate DNS administration
level: high
tags:
  - attack.persistence

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
DNS permissionsRestrict who can create DNS recordsCriticalPrevents unauthorized record creation.
MonitoringAlert on DNS node modificationsHighDetects poisoning attempts.
Network monitoringMonitor unusual DNS resolutionsHighIdentifies traffic redirection.
Least privilegeRemove default DNS update rightsMediumReduces attack surface.
Threat huntingReview newly created DNS recordsMediumDetects suspicious entries.