Query Details

DNSAdmins Privilege Escalation via DLL Injection (dnscmd /serverlevelplugindll)

16 DNS DNS Admin DLL Injection

Query

// Step 1: Detect dnscmd.exe invoked with /serverlevelplugindll
// (registers arbitrary DLL to be loaded by dns.exe at SYSTEM privilege)
let DnscmdAbuse =
    SecurityEvent
    | where TimeGenerated > ago(1h)
    | where EventID == 4688  // Process Creation (requires audit policy)
    | where NewProcessName has "dnscmd.exe"
    | where CommandLine has "serverlevelplugindll"
    | project
        DnscmdTime   = TimeGenerated,
        Computer,
        SubjectAccount = SubjectUserName,
        CommandLine;
// Step 2: Detect DNS service restart following the dnscmd call
// Restart is required to load the DLL — without it the attack is incomplete
let DnsServiceRestart =
    SecurityEvent
    | where TimeGenerated > ago(1h)
    | where EventID == 7036 or EventID == 4697
    | where Activity has "DNS" or ServiceName contains "DNS"
    | project
        RestartTime   = TimeGenerated,
        Computer,
        ServiceEvent  = Activity;
// Correlate: same Computer, restart within 60 min of dnscmd
DnscmdAbuse
| join kind=inner DnsServiceRestart on Computer
| where abs(datetime_diff("minute", DnscmdTime, RestartTime)) < 60
| project
    DnscmdTime,
    Computer,
    SubjectAccount,
    CommandLine,
    RestartTime,
    ServiceEvent

Explanation

This query is designed to detect a specific security threat in an Active Directory environment, where someone with DNSAdmins privileges attempts to escalate their privileges using a technique called DLL Injection. Here's a simplified breakdown:

  1. What It Detects: The query looks for a method where a member of the DNSAdmins group registers a malicious DLL file to be loaded by the DNS server process (dns.exe), which runs with high-level SYSTEM privileges. This is done using the command dnscmd.exe /config /serverlevelplugindll.

  2. How It Works:

    • Step 1: It first checks for the execution of dnscmd.exe with the specific command line argument /serverlevelplugindll, which indicates an attempt to register a DLL.
    • Step 2: It then looks for a DNS service restart on the same computer within 60 minutes of the dnscmd.exe execution. The restart is necessary for the malicious DLL to be loaded and executed.
  3. Why It's Important: This technique allows an attacker to execute code with SYSTEM privileges on a DNS server, which is often a Domain Controller, without needing Domain Admin rights. It was publicly documented in 2017 and has been used in real-world attacks.

  4. Severity and Response: The severity is marked as High, indicating a significant security risk. The query runs every hour and triggers an alert if any suspicious activity is detected.

  5. Technical Details:

    • It uses Security Events data to identify process creation and service restart events.
    • It correlates these events to ensure they occur on the same computer within a specified time frame.
  6. Output: If the conditions are met, the query generates an alert with details about the user account involved, the computer affected, and the command line used, suggesting that a malicious DLL might have been loaded.

Overall, this query helps security teams identify and respond to potential privilege escalation attempts in their network.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

SecurityEvent

Keywords

DNSAdminsDLLInjectionPrivilegeEscalationSYSTEMActiveDirectoryDNSDomainControllerSecurityEventsSecurityEventProcessCreationComputerSubjectAccountCommandLineServiceEventHostAccount

Operators

let|where>ago()==hasprojectorcontainsjoinkind=inneronabs()datetime_diff()<

Severity

High

Tactics

PrivilegeEscalationPersistence

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub