DnsAdminsgroup on a domain. Luckily, our user
spotlessalready belongs to the said group:
DC01to load our malicious DLL (from the victim controlled network share on host 10.0.0.2) next time the service starts (or when the attacker restarts it):
ServerLevelPluginDllpoints to our malicious DLL:
DC01I saw the below error, suggesting there was something off with my DLL:
spotlessis not in
addDA.dll, we see that the user
spotlessis now a member of the
ServerLevelPluginDll, especially if it begins with string
\\in the data field.
DnsPluginInitialize, which is the function that gets invoked, when the dnscmd loads our malicious DNS service plugin DLL.