DnsAdmins is Tier-0: a DLL that runs as SYSTEM on your DC
A DnsAdmins member can point the DNS service at an attacker DLL and load it as SYSTEM on a domain controller. The restart is the weapon, so clear the value first.
DnsAdmins looks like a helpdesk grade role for managing DNS. But on a domain controller, DNS runs as SYSTEM, which turns that group into something far more dangerous.
How the attack works
A member of the DnsAdmins group sets the ServerLevelPluginDll registry value on the Microsoft DNS service, pointing it at an attacker supplied DLL on a network share. They stage the DLL so the service can reach it. When the DNS service next restarts, dns.exe loads that DLL, and because DNS runs as SYSTEM on the domain controller, the attacker gets SYSTEM code execution on the DC. From there the loaded DLL spawns a SYSTEM process and performs Tier-0 actions such as credential access and persistence. In ATT&CK terms this is T1059, Command and Scripting Interpreter, paired with T1543, Create or Modify System Process.
Why it works
Managing DNS on a domain controller is effectively DC admin adjacent, but DnsAdmins is often treated as a low tier role and handed out freely. The ServerLevelPluginDll setting is a legitimate plugin hook that loads arbitrary code, and a DnsAdmins member can write it.
How to fix it
The scenario teaches the non obvious sequence: the restart is the trigger, so you must delete the ServerLevelPluginDll value before any restart or reboot, then restart DNS cleanly and isolate the DC. Restarting first to clean up the config is exactly how the payload loads. Removing the user from DnsAdmins without clearing the value leaves it armed. The durable fix is to treat DnsAdmins as Tier-0: minimize membership, restrict who can write the DNS service registry, remove DNS admin rights from accounts that do not strictly need them, and monitor ServerLevelPluginDll continuously. To confirm whether the payload actually ran, correlate the registry write, the DNS service restart, and the process creation events for dns.exe and its SYSTEM children. If the DLL ran, assume domain identity compromise and plan KRBTGT and credential rotation.
Practice it
We built this as a GraphLattice Range scenario so administrators can rehearse clearing the plugin value before the restart and governing DnsAdmins as Tier-0.