DNS Admins Revisited—Achieving Privileged Persistence on a DC

In a post on Medium in 2017, security researchers showed how users from the DNSAdmins group could use a feature abuse in the Microsoft DNS management protocol to make the DNS service load any DLL. This service runs on Domain Controllers as NT Authority\System, allowing DNSAdmins to escalate privileges to SYSTEM on DC (with permissions equal at least to Domain Admins). This “cute trick,” as the original researcher, Shay Ber, called it, can be useful for Red Teams exploring AD privilege escalation and is a potential backdoor for attackers into the domain controller.

In this presentation, I’ll expand on Shay Ber’s research by showing how to overcome a problem with the previous technique and how to make it more stealthy. I’ll also review the required permissions to show that an adversary could use this tactic to leave a backdoor to DC that likely would not be noticed and might bypass some tools.