DNSAdmins exploitation is a well-known attack that allows members of the DNSAdmins group to take over control of a Domain Controller running the Microsoft DNS service.
A member of the DNSAdmins group has rights to perform administrative tasks on the Active Directory DNS service. Attackers can abuse these rights to execute malicious code in a highly privileged context.
|Detection Type||Related to a Common Vulnerabilities and Exposures (CVE)||Available from Tenable.ad version|
How the attack works
The attacker must be a member of the DnsAdmins group or have write access to a DNS server object.
According to Microsoft protocol specifications, the attacker can load an arbitrary DLL — without a verification of the DLL path — by editing the ServerLevelPluginDll registry key.
The Microsoft administration tool dnscmd.exe then implements this option: dnscmd.exe /config /serverlevelplugindll \\path\to\dll.
When the system executes this command, it populates the following registry key: HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll.
Then, when the DNS service restarts, it loads the DLL provided and executes the malicious code.
How the IoA works
The DNSAdmins Indicator of Attack (IoA) can detect the successful editing of the dangerous registry key ServerLevelPluginDll. This IoA identifies this first step in the DNSAdmins exploitation attack before the system loads and executes the malicious DLL.
It provides the security team with the malicious DLL path to let the defending team perform further investigation.
Specific modifications to the environment
To have the required DNS audit logs, a Windows Server 2012 R2 domain controller must have the hotfix KB2956577 installed. There is nothing to do for Windows Server 2016 and later versions.
For this IoA to detect DNSAdmins exploitation, the IoA script automatically enables the "Microsoft-Windows-DNSServer/Audit" channel by adding the registry key Microsoft-Windows-DNSServer/Audit to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog.
Events Auditing Policy