Abusing DNS Admin Membership by DLL Injection in “dns.exe” for PrivEsc in Active Directory
Resolute was a medium level Windows computer that included a list of users and login discoveries for the SMB system. This password has been pulsed into the SMB login via hydra to the usernames identified. The listing of the privilege escalation led us to another member of the DnsAdmins group. Then, by violating his admin’s right to charge the DLL injection to obtain the Admin shell.
dll injection dnscmd.exe smbserver.py