SpecterOps · JonasBK · Jan 31, 2024 · Jan 31, 2024
diff --git a/TierZeroTable.csv b/TierZeroTable.csv
@@ -55,6 +55,10 @@ The Domain Controllers group applies to the Windows Server operating system in D
 There are no known ways to abuse membership in this group to compromise Tier Zero. However, the GetChangesAll privilege is considered a security dependency that should only be held by Tier Zero principals. Additionally, control over the group allows one to impact the operability of Tier Zero by removing domain controllers from the group, which breaks AD replication. The group is therefore considered Tier Zero.";YES;YES;1;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#domain-controllers
 Domain Controllers (OU);AD OU;Active Directory;DistinguishedName: OU=Domain Controllers,<Domain DN>;When domain controllers are added to the domain, their computer objects are automatically added to the Domain Controller OU. This OU has a default set of policies applied to it. To ensure that these policies are applied uniformly to all domain controllers, we recommend that you not move the computer objects of the domain controllers out of this OU. Failure to apply the default policies can cause a domain controller to fail to function properly.;YES - Takeover;N/A - Compromise by default;YES;Inheritance is not disabled by default on DCs and RODCs, which means they can inherit permissions placed on the Domain Controllers OU. An attacker could thereby grant themselves GenericAll on DCs and RODCs, which enable the attacker to perform a domain compromise. If the attacker has the privilege to create or modify GPOs, the attacker could compromise DCs with a malicious GPO. For these reasons, the Domain Controllers OU is Tier Zero.;NO;NO;2;https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-of-default-containers-and-ous#domain-controller-ou
 Domain root object;AD domain;Active Directory;Top object in the Default Naming Context;A Domain root object represents the AD domain. It contains all AD objects in the Default Naming Context.;YES - Takeover;N/A - Compromise by default;YES;An attacker with control over the domain root object can compromise the domain in multiple ways, for example by a DCSync attack (see reference). The domain root object is therefore Tier Zero.;NO;NO;2;https://adsecurity.org/?p=1729
+DnsAdmins;AD group;Active Directory;S-1-5-21-<domain>-<variable RI>;"Members of the DnsAdmins group have access to network DNS information. The default permissions are Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
+
+For more information about security and DNS, see DNSSEC in Windows Server 2012.";YES - Takeover;NO;YES;Users from the DnsAdmins group could use a “feature” in the Microsoft DNS management protocol to make the DNS service load any DLL. This service runs on Domain Controllers as NT AuthoritySystem, allowing DnsAdmins to escalate privileges to SYSTEM on DC (with permissions equal at least to Domain Admins).;NO;NO;2;"https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups#dnsadmins
+https://www.semperis.com/blog/dnsadmins-revisited/"
 Enterprise Admins;AD group;Active Directory;SID: S-1-5-21-<root domain>-519;"The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. The group is a Universal group if the domain is in native mode. The group is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, like adding child domains.
 
 By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access to configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Members of the default service administrator groups in the root domain can modify Enterprise Admins membership. This group is considered a service administrator account.