SYSTEM
level privileges on a DC that runs a DNS service as originally researched by Shay Ber here.DnsAdmins
group on a domain. Luckily, our user spotless
already belongs to the said group:DC01
to load our malicious DLL (from the victim controlled network share on host 10.0.0.2) next time the service starts (or when the attacker restarts it):dnscmd
is a windows utility that allows people with DnsAdmins
privileges manage the DNS server. The utility can be installed by adding DNS Server Tools
to your system as shown in the below screengrab.ServerLevelPluginDll
points to our malicious DLL:DC01
I saw the below error, suggesting there was something off with my DLL:spotless
is not in Domain Admins
group:addDA.dll
, we see that the user spotless
is now a member of the Domain Admins
:HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
value ServerLevelPluginDll
, especially if it begins with string \\
in the data field.DnsPluginInitialize
, which is the function that gets invoked, when the dnscmd loads our malicious DNS service plugin DLL.