DNSAdmins exploitation is a well-known attack that allows members of the DNSAdmins group to take over control of a Domain Controller running the Microsoft DNS service.

A member of the DNSAdmins group has rights to perform administrative tasks on the Active Directory DNS service. Attackers can abuse these rights to execute malicious code in a highly privileged context.

Detection Type Related to a Common Vulnerabilities and Exposures (CVE) Available from Tenable.ad version
Generic IOC No 3.21

How the attack works

The attacker must be a member of the DnsAdmins group or have write access to a DNS server object.

According to Microsoft protocol specifications, the attacker can load an arbitrary DLL — without a verification of the DLL path — by editing the ServerLevelPluginDll registry key.

The Microsoft administration tool dnscmd.exe then implements this option: dnscmd.exe /config /serverlevelplugindll \\path\to\dll.

When the system executes this command, it populates the following registry key: HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll.

Then, when the DNS service restarts, it loads the DLL provided and executes the malicious code.

How the IoA works

The DNSAdmins Indicator of Attack (IoA) can detect the successful editing of the dangerous registry key ServerLevelPluginDll. This IoA identifies this first step in the DNSAdmins exploitation attack before the system loads and executes the malicious DLL.

It provides the security team with the malicious DLL path to let the defending team perform further investigation.

Specific modifications to the environment

To have the required DNS audit logs, a Windows Server 2012 R2 domain controller must have the hotfix KB2956577 installed. There is nothing to do for Windows Server 2016 and later versions.

For this IoA to detect DNSAdmins exploitation, the IoA script automatically enables the "Microsoft-Windows-DNSServer/Audit" channel by adding the registry key Microsoft-Windows-DNSServer/Audit to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog.

Note: If you previously configured log retention for this specific channel, adding this registry key overrides the initial configuration. Previous events before this configuration are no longer visible.
Note: Tenable.ad supports all operating systems from Windows Server 2012 R2.

Events Auditing Policy

Provider Name Channel Event IDs Audit Policies Value
Microsoft-Windows-Security-Auditing Security 4624

├ Category: Logon/Logoff

└─ Sub-category: Audit Logon


Event IDs Provider Name Channel to enable
541 Microsoft-Windows-DNSServer Microsoft-Windows-DNSServer/Audit
Other requirements
Sysmon extension No
Honey Account No

See also