DNSAdmins Privilege Escalation via DLL Injection (dnscmd /serverlevelplugindll)
16 DNS DNS Admin DLL Injection
Query
// Step 1: Detect dnscmd.exe invoked with /serverlevelplugindll
// (registers arbitrary DLL to be loaded by dns.exe at SYSTEM privilege)
let DnscmdAbuse =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4688 // Process Creation (requires audit policy)
| where NewProcessName has "dnscmd.exe"
| where CommandLine has "serverlevelplugindll"
| project
DnscmdTime = TimeGenerated,
Computer,
SubjectAccount = SubjectUserName,
CommandLine;
// Step 2: Detect DNS service restart following the dnscmd call
// Restart is required to load the DLL — without it the attack is incomplete
let DnsServiceRestart =
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 7036 or EventID == 4697
| where Activity has "DNS" or ServiceName contains "DNS"
| project
RestartTime = TimeGenerated,
Computer,
ServiceEvent = Activity;
// Correlate: same Computer, restart within 60 min of dnscmd
DnscmdAbuse
| join kind=inner DnsServiceRestart on Computer
| where abs(datetime_diff("minute", DnscmdTime, RestartTime)) < 60
| project
DnscmdTime,
Computer,
SubjectAccount,
CommandLine,
RestartTime,
ServiceEventExplanation
This query is designed to detect a specific security threat in an Active Directory environment, where someone with DNSAdmins privileges attempts to escalate their privileges using a technique called DLL Injection. Here's a simplified breakdown:
-
What It Detects: The query looks for a method where a member of the DNSAdmins group registers a malicious DLL file to be loaded by the DNS server process (dns.exe), which runs with high-level SYSTEM privileges. This is done using the command
dnscmd.exe /config /serverlevelplugindll. -
How It Works:
- Step 1: It first checks for the execution of
dnscmd.exewith the specific command line argument/serverlevelplugindll, which indicates an attempt to register a DLL. - Step 2: It then looks for a DNS service restart on the same computer within 60 minutes of the
dnscmd.exeexecution. The restart is necessary for the malicious DLL to be loaded and executed.
- Step 1: It first checks for the execution of
-
Why It's Important: This technique allows an attacker to execute code with SYSTEM privileges on a DNS server, which is often a Domain Controller, without needing Domain Admin rights. It was publicly documented in 2017 and has been used in real-world attacks.
-
Severity and Response: The severity is marked as High, indicating a significant security risk. The query runs every hour and triggers an alert if any suspicious activity is detected.
-
Technical Details:
- It uses Security Events data to identify process creation and service restart events.
- It correlates these events to ensure they occur on the same computer within a specified time frame.
-
Output: If the conditions are met, the query generates an alert with details about the user account involved, the computer affected, and the command line used, suggesting that a malicious DLL might have been loaded.
Overall, this query helps security teams identify and respond to potential privilege escalation attempts in their network.
Details

David Alonso
Released: March 26, 2026
Tables
Keywords
Operators
Severity
HighTactics
Frequency: 1h
Period: 1h