Query Details
RULE 09 AD Dns Admins DLL Injection
Query
// =========================================================
// RULE-09 | AD-DnsAdmins-DLL-Injection
// Description : DnsAdmins DLL injection on DC — detects the
// chain of:
// 1. A user added to the DnsAdmins group (4728)
// 2. DNS Server service being restarted or a new
// DLL path configured (WindowsEvent System
// channel EventID 4 / 7045, or 4688 showing
// dnscmd with /serverlevelplugindll)
// Members of DnsAdmins can set
// ServerLevelPluginDll on the DNS service,
// which runs as SYSTEM on the DC. Restarting
// DNS loads the attacker's DLL as SYSTEM →
// instant DC compromise.
// Severity : High (DnsAdmins add) → Critical (dnscmd DLL
// config + DNS restart on same host)
// Frequency : Every 15 minutes, look-back 15 minutes
// MITRE : T1543.003 — Windows Service
// T1574.002 — DLL Side-Loading
// Tables : SecurityEvent, WindowsEvent (System channel)
// =========================================================
let LookBack = 15m;
// --- Signal 1: User added to DnsAdmins group ---
let DnsAdminsAdditions = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID in (4728, 4732, 4756)
| where TargetUserName =~ "DnsAdmins"
| project
AddTime = TimeGenerated,
NewMember = MemberName,
AddedBy = SubjectUserName,
DC = Computer;
// --- Signal 2: dnscmd /serverlevelplugindll via process creation ---
let DnscmdDLLConfig = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4688
| where CommandLine has_any ("dnscmd", "sc stop dns", "sc start dns",
"net stop dns", "net start dns")
and (CommandLine has "serverlevelplugindll"
or CommandLine has_any ("sc stop", "sc start", "net stop", "net start"))
| extend
DllPath = extract(@"(?i)/serverlevelplugindll\s+(\S+)", 1, CommandLine)
| project
CmdTime = TimeGenerated,
Actor = SubjectUserName,
ActorDom = SubjectDomainName,
CmdLine = CommandLine,
DllPath,
Host = Computer;
// --- Signal 3: DNS service restart / new service from WindowsEvent ---
let DnsServiceEvents = WindowsEvent
| where TimeGenerated > ago(LookBack)
| where Channel == "System"
| where EventID in (7036, 7040, 7045) // Service started/stopped/installed
| where EventData has_any ("DNS Server", "dns")
| project
SvcTime = TimeGenerated,
EventID_ = EventID,
SvcDetail = EventData,
Host = Computer;
// --- Combine and correlate ---
DnsAdminsAdditions
| join kind=leftouter (DnscmdDLLConfig) on $left.DC == $right.Host
| join kind=leftouter (DnsServiceEvents) on $left.DC == $right.Host
| extend
HasDLLConfig = isnotempty(CmdLine),
HasServiceEvt = isnotempty(SvcDetail),
Severity = case(
HasDLLConfig and HasServiceEvt, "Critical",
HasDLLConfig, "Critical",
HasServiceEvt, "High",
"High"
),
WhySuspicious = strcat(
"DnsAdmins_Member_Added: ", NewMember, "; ",
iff(HasDLLConfig, strcat("DLL_Config_via_dnscmd: ", DllPath, "; "), ""),
iff(HasServiceEvt, "DNS_Service_Modified; ", "")
)
| project
TimeGenerated = AddTime,
Severity,
WhySuspicious,
NewMember,
AddedBy,
DC,
DllPath,
CmdLine,
HasDLLConfig,
HasServiceEvt
| order by TimeGenerated desc
Explanation
This query is designed to detect potential security threats related to the DnsAdmins group and DNS service on a domain controller (DC). Here's a simplified breakdown of what the query does:
-
Purpose: The query aims to identify suspicious activities that could indicate a compromise of the DC through DnsAdmins DLL injection. This involves checking if a user was added to the DnsAdmins group and if there were any suspicious configurations or restarts of the DNS service.
-
Signals:
- Signal 1: It checks for events where a user is added to the DnsAdmins group. This is a potential security risk because members of this group can configure the DNS service to load malicious DLLs.
- Signal 2: It looks for command-line activities involving the
dnscmdtool, which might indicate an attempt to configure a malicious DLL for the DNS service. - Signal 3: It monitors for events indicating the DNS service was started, stopped, or a new service was installed, which could be part of an attack to load a malicious DLL.
-
Correlation: The query combines these signals to identify if they occur on the same host (DC). If a user is added to DnsAdmins and there are suspicious DNS configurations or service restarts, it raises an alert.
-
Severity Levels:
- If both a DLL configuration and a DNS service event are detected, the severity is marked as "Critical".
- If only one of these activities is detected, it is marked as "High".
-
Output: The query outputs a list of suspicious activities, including the time they occurred, the severity of the threat, details of the suspicious actions, and the users involved.
-
Frequency: The query runs every 15 minutes and looks back at the last 15 minutes of data to ensure timely detection of potential threats.
Overall, this query is a security measure to detect and alert on potential compromises of a DC through unauthorized modifications to the DNS service by members of the DnsAdmins group.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators