Detects command-line usage of the Windows dnscmd.exe tool to configure the DNS ServerLevelPluginDll setting. This setting allows the DNS service to load an arbitrary DLL, which attackers with DNS administrative privileges can abuse to execute code within the DNS service process. Such activity can enable persistence, privilege escalation, or domain controller compromise through malicious DLL loading. The rule looks for dnscmd.exe invocations with arguments matching config and serverlevelplugindll, and correlates rich process metadata (including process name, path, hash, parent process, user, vendor_product, and other CIM-normalized fields) to differentiate legitimate maintenance from abuse. Data sources include Sysmon EventID 1, Windows Event Log Security 4688 (process creation), and CrowdStrike ProcessRollup2. The detection maps to the Endpoint data model (Processes) and leverages CIM normalization to facilitate rapid investigation and cross-source correlation. Consider filtering legitimate administrative actions to reduce false positives, such as maintenance windows or approved DNS server configurations.