This note documents detection patterns related to DNSAdmins DLL Injection within Active Directory environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4728	Member added to security-enabled global group	Critical	Account added to DNSAdmins group enabling privilege escalation.
Security	5136	Directory object modified	High	DNS configuration modifications including `ServerLevelPluginDll`.
Security	7045	Service installed	High	Malicious DLL or service may be installed prior to DNS service reload.
System	7036	Service state changed	High	DNS service restart after plugin configuration change.
Security	4688	Process created	Medium	Execution of dnscmd or PowerShell modifying DNS server configuration.
Sysmon	7	Image loaded	Critical	DNS service loading attacker-controlled DLL file.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Modification of ServerLevelPluginDll	Registry change pointing to attacker DLL	Critical	Core indicator of DNSAdmins privilege escalation.
DNS service restart	Service restart after plugin modification	High	Required for malicious DLL to load.
DLL loaded by dns.exe	Unusual library loaded into DNS service process	Critical	Strong exploitation evidence.
Execution of dnscmd or PowerShell DNS commands	Administrative command modifying DNS configuration	High	Often used to configure malicious plugin.
DNSAdmins membership change	User added to DNSAdmins group	Critical	Precursor to attack.

Common Tools

Tool	Usage
dnscmd	Configures ServerLevelPluginDll parameter for DNS server.
PowerShell DNS cmdlets	Used to manipulate DNS server configuration.
PowerView	Enumerates DNSAdmins privileges.
Impacket	Used to execute commands on domain controllers.
Custom DLL payloads	Executed within dns.exe process context.

Relevant Artifacts

Domain controller Security logs (4728, 5136, 4688)
System logs (7036 service state changes)
Registry modifications for DNS configuration
Sysmon logs (7 image load events)
EDR telemetry identifying DLL injection
DNS server operational logs
Prefetch artifacts for dnscmd or PowerShell execution
File system artifacts for malicious DLL

MITRE ATT&CK References

T1548 Abuse Elevation Control Mechanism
T1574.002 DLL Side-Loading
T1059 Command and Scripting Interpreter

Decision Tree

Is the suspicious event present?
- Identify DNSAdmins group modification or DNS configuration changes.
What host generated the event?
- Determine which system executed DNS configuration commands.
Is the account expected to perform this action?
- Investigate whether account normally administers DNS.
Pivot:
- Source host → inspect execution of dnscmd or PowerShell.
- Registry → check ServerLevelPluginDll configuration.
- Service events → review DNS service restart activity.
Confirm exploitation
- Determine whether dns.exe loaded attacker-controlled DLL.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4728
| where TargetUserName == "DNSAdmins"

SecurityEvent
| where EventID == 4688
| where Process has "dnscmd"

EQL

any where event.code == "4688"

Sigma

title: DNSAdmins DLL Injection Attempt
id: dnsadmins-dll-injection
status: experimental
description: Detects potential abuse of DNSAdmins to load malicious plugin DLL
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4688
    CommandLine|contains: dnscmd
  condition: selection
fields:
  - CommandLine
  - SubjectUserName
falsepositives:
  - Legitimate DNS administrative activity
level: high
tags:
  - attack.privilege_escalation

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Group membership	Restrict DNSAdmins membership	Critical	Limits privilege escalation path.
Monitoring	Alert on ServerLevelPluginDll modifications	High	Detects attack configuration.
Service protection	Monitor dns.exe module loads	High	Detects malicious DLL execution.
Least privilege	Limit DNS administrative permissions	High	Reduces attack surface.
Threat hunting	Review DNS server configuration changes	Medium	Identifies suspicious modifications.