This module exploits a feature in the DNS service of Windows Server. Users of the DnsAdmins group can set the
`ServerLevelPluginDll` value using dnscmd.exe to create a registry key at `HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\`
named `ServerLevelPluginDll` that can be made to point to an arbitrary DLL. After doing so, restarting the service
will load the DLL and cause it to execute, providing us with SYSTEM privileges. Increasing WfsDelay is recommended
when using a UNC path.
Users should note that if the DLLPath variable of this module is set to a UNC share that does not exist,
the DNS server on the target will not be able to restart. Similarly if a UNC share is not utilized, and
users instead opt to drop a file onto the disk of the target computer, and this gets picked up by Anti-Virus
after the timeout specified by `AVTIMEOUT` expires, its possible that the `ServerLevelPluginDll` value of the
`HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters\` key on the target computer may point to an nonexistant DLL,
which will also prevent the DNS server from being able to restart. Users are advised to refer to the documentation for
this module for advice on how to resolve this issue should it occur.
This module has only been tested and confirmed to work on Windows Server 2019 Standard Edition, however it should work against any Windows
Server version up to and including Windows Server 2019.
- Shay Ber
- Imran E. Dawoodjee <email@example.com>