T1590.002

DNS

Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning.

Microsoft Sentinel / Defender

kusto

let DNSOSINTTools = dynamic([
  "dnsrecon", "dnsrecon.py", "dnsx", "subfinder", "amass", "fierce",
  "fierce.py", "dnsmap", "dnsenum", "dnsenum.pl", "sublist3r",
  "gobuster", "dnstwist", "dnswalk", "masscan", "shuffledns",
  "puredns", "altdns", "knockpy"
]);
let PrivateRanges = dynamic(["10.", "192.168.", "172.16.", "172.17.", "172.18.", "172.19.",
  "172.20.", "172.21.", "172.22.", "172.23.", "172.24.", "172.25.",
  "172.26.", "172.27.", "172.28.", "172.29.", "172.30.", "172.31.",
  "127.", "169.254."]);
// Branch 1: DNS Zone Transfer Attempts (AXFR/IXFR) against internal DNS servers
let ZoneTransferAlerts = DnsEvents
| where TimeGenerated > ago(24h)
| where QueryType in ("AXFR", "IXFR") or QueryType == "255"
| where not(ClientIP has_any (PrivateRanges))
| extend AlertType = "External DNS Zone Transfer Attempt"
| extend RiskScore = 90
| project TimeGenerated, Computer, ClientIP, Name, QueryType, ResultCode,
         AlertType, RiskScore;
// Branch 2: Bulk ANY/NS/MX/TXT record enumeration from single external IP
let BulkEnumAlerts = DnsEvents
| where TimeGenerated > ago(1h)
| where QueryType in ("NS", "MX", "TXT", "SOA", "255", "AXFR")
| where not(ClientIP has_any (PrivateRanges))
| summarize QueryCount = count(), UniqueNames = dcount(Name),
           QueryTypes = make_set(QueryType), Earliest = min(TimeGenerated),
           Latest = max(TimeGenerated)
  by ClientIP, Computer, bin(TimeGenerated, 10m)
| where QueryCount > 30 or UniqueNames > 20
| extend AlertType = "Bulk External DNS Enumeration"
| extend RiskScore = 70
| project TimeGenerated = Earliest, Computer, ClientIP, QueryCount, UniqueNames,
         QueryTypes, AlertType, RiskScore;
// Branch 3: OSINT reconnaissance tools executed on managed endpoints
let OSINTToolAlerts = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DNSOSINTTools)
    or (FileName in~ ("python.exe", "python3", "python3.exe", "python")
        and ProcessCommandLine has_any ("dnsrecon", "dnsenum", "fierce", "sublist3r", "dnstwist"))
    or (FileName in~ ("nslookup.exe", "nslookup") and ProcessCommandLine has_any ("ls -d", "ls -t", "-type=axfr", "-querytype=axfr", "-q=axfr", "-type=any", "-type=ns", "-type=mx", "-type=txt"))
    or (FileName =~ "dig" and ProcessCommandLine has_any ("axfr", "AXFR", "+short", "ANY", "TXT", "MX", "NS", "DKIM", "_dmarc"))
| extend AlertType = "DNS Enumeration Tool Execution on Endpoint"
| extend RiskScore = 60
| project TimeGenerated = Timestamp, DeviceName, AccountName, FileName,
         ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AlertType, RiskScore;
// Union all branches
union ZoneTransferAlerts, BulkEnumAlerts, OSINTToolAlerts
| sort by TimeGenerated desc

low severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Process: Process Creation Command: Command Execution Windows DNS Server Logs (DnsEvents via Azure Monitor Agent)

Required Tables

DnsEvents DeviceProcessEvents

False Positives

Authorized DNS zone transfers between primary and secondary name servers — legitimate AXFR from secondary NS IP addresses configured for zone replication
Internal IT and security teams running DNS enumeration tools during authorized penetration tests, asset discovery, or DNS hygiene audits
Monitoring and asset management platforms (Qualys, Tenable, Rapid7) that perform DNS enumeration as part of scheduled scans against owned infrastructure
Developers and DevOps engineers using dig or nslookup with ANY/MX/TXT flags to troubleshoot mail delivery, SPF validation, or SSL certificate issues

Splunk

spl

| multisearch
[
  search index=dns sourcetype="stream:dns" (query_type="AXFR" OR query_type="IXFR" OR query_type="255")
  NOT (src_ip="10.*" OR src_ip="192.168.*" OR src_ip="172.16.*" OR src_ip="172.17.*" OR src_ip="172.18.*" OR src_ip="172.19.*" OR src_ip="172.20.*" OR src_ip="172.21.*" OR src_ip="172.22.*" OR src_ip="172.23.*" OR src_ip="172.24.*" OR src_ip="172.25.*" OR src_ip="172.26.*" OR src_ip="172.27.*" OR src_ip="172.28.*" OR src_ip="172.29.*" OR src_ip="172.30.*" OR src_ip="172.31.*" OR src_ip="127.*")
  | eval AlertType="External Zone Transfer Attempt", RiskScore=90
  | eval src=src_ip, dest=dest_ip, query_name=query, qtype=query_type
]
[
  search index=dns sourcetype="stream:dns" (query_type="NS" OR query_type="MX" OR query_type="TXT" OR query_type="SOA" OR query_type="255" OR query_type="ANY")
  NOT (src_ip="10.*" OR src_ip="192.168.*" OR src_ip="172.*" OR src_ip="127.*")
  | eval AlertType="Bulk External DNS Enumeration", RiskScore=70
  | eval src=src_ip, dest=dest_ip, query_name=query, qtype=query_type
  | bucket _time span=10m
  | stats count as QueryCount, dc(query) as UniqueNames, values(query_type) as QueryTypes by src, dest, _time, AlertType, RiskScore
  | where QueryCount > 30 OR UniqueNames > 20
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\dnsrecon*" OR Image="*\\dnsx*" OR Image="*\\subfinder*" OR Image="*\\amass*"
  OR Image="*\\fierce*" OR Image="*\\dnsmap*" OR Image="*\\dnsenum*" OR Image="*\\gobuster*"
  OR Image="*\\altdns*" OR Image="*\\knockpy*"
  OR ((Image="*\\python*" OR Image="*\\python3*") AND (CommandLine="*dnsrecon*" OR CommandLine="*dnsenum*" OR CommandLine="*fierce*" OR CommandLine="*sublist3r*" OR CommandLine="*dnstwist*"))
  OR (Image="*\\nslookup.exe" AND (CommandLine="*-type=axfr*" OR CommandLine="*-q=axfr*" OR CommandLine="*-querytype=axfr*" OR CommandLine="*-type=any*" OR CommandLine="*ls -d*" OR CommandLine="*ls -t*"))
  OR (Image="*\\dig*" AND (CommandLine="*axfr*" OR CommandLine="*AXFR*" OR CommandLine="* any *" OR CommandLine="*_dmarc*" OR CommandLine="* MX *" OR CommandLine="* NS *")))
  | eval AlertType="DNS Enumeration Tool on Endpoint", RiskScore=60
  | eval src=host, query_name=CommandLine
]
| eval log_source=coalesce(sourcetype, "unknown")
| table _time, AlertType, RiskScore, src, dest, query_name, qtype, QueryCount, UniqueNames, host, User, Image, CommandLine, ParentImage
| sort - RiskScore, - _time

low severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Process: Process Creation Command: Command Execution DNS Network Stream Sysmon Event ID 1

Required Sourcetypes

stream:dns XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized DNS zone transfers between primary and secondary name servers — secondary NS IP addresses should be allowlisted
Authorized penetration tests or vulnerability scans using dnsrecon, subfinder, or amass against owned domains
Monitoring and asset discovery platforms (Qualys, Rapid7, Tenable) performing DNS resolution as part of scheduled scans
Developers troubleshooting email delivery issues using dig or nslookup to verify MX, SPF, DKIM, and DMARC records

Elastic Security (EQL)

eql

any where
  /* Branch 1: DNS Zone Transfer Attempt from External Source */
  (
    event.category == "dns" and
    dns.question.type in ("AXFR", "IXFR", "255") and
    not source.ip : ("10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*",
                     "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*",
                     "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*",
                     "172.29.*", "172.30.*", "172.31.*", "127.*", "169.254.*")
  ) or
  /* Branch 2: DNS OSINT Tool or Abuse of Built-in Utilities on Endpoint */
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("dnsrecon", "dnsrecon.py", "dnsx", "subfinder", "amass",
                         "fierce", "fierce.py", "dnsmap", "dnsenum", "dnsenum.pl",
                         "sublist3r", "gobuster", "dnstwist", "dnswalk", "shuffledns",
                         "puredns", "altdns", "knockpy") or
      (
        process.name in~ ("python", "python3", "python.exe", "python3.exe") and
        process.command_line like~ ("*dnsrecon*", "*dnsenum*", "*fierce*",
                                     "*sublist3r*", "*dnstwist*")
      ) or
      (
        process.name in~ ("nslookup", "nslookup.exe") and
        process.command_line like~ ("*-type=axfr*", "*-q=axfr*",
                                     "*-querytype=axfr*", "*-type=any*",
                                     "*ls -d*", "*ls -t*")
      ) or
      (
        process.name == "dig" and
        process.command_line like~ ("*axfr*", "* any *", "*_dmarc*",
                                     "* MX *", "* NS *", "* TXT *")
      )
    )
  )

high severity high confidence

Data Sources

Elastic Agent DNS integration (ECS dns.* event fields) Elastic Endpoint Security agent (ECS process.* fields, event.category=process) Winlogbeat with Sysmon module (EventCode 1 mapped to ECS process.start, EventCode 22 mapped to ECS dns) Packetbeat passive DNS capture (dns.question.type from wire)

Required Tables

logs-endpoint.events.dns-* logs-endpoint.events.process-* winlogbeat-* packetbeat-*

False Positives

Authorized DNS secondary name servers performing legitimate AXFR zone replication where the secondary's IP falls outside RFC1918 ranges (e.g., hosted secondaries in DMZ or cloud)
Security engineers running subfinder, amass, or gobuster on corporate endpoints for authorized external attack surface management scans against the organization's own domains
DNS monitoring or IPAM platforms (Infoblox, BlueCat) that invoke dig or nslookup binaries with NS/MX/SOA arguments as part of automated zone health checks
DevOps CI/CD pipeline agents executing dig with MX or NS flags during infrastructure provisioning validation steps

IBM QRadar (AQL)

sql

/* Branch 1: External DNS Zone Transfer Requests (AXFR/IXFR) */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  'External Zone Transfer Attempt' AS AlertType,
  90 AS RiskScore,
  sourceip AS SourceIP,
  destinationip AS DestIP,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(highLevelCategory) AS Category,
  UTF8(payload) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (15, 352, 192, 434)
  AND (
    UTF8(payload) ILIKE '%AXFR%' OR
    UTF8(payload) ILIKE '%IXFR%' OR
    UTF8(payload) ILIKE '%type=255%' OR
    UTF8(payload) ILIKE '%qtype=AXFR%'
  )
  AND NOT (
    INCIDR('10.0.0.0/8', sourceip) OR
    INCIDR('192.168.0.0/16', sourceip) OR
    INCIDR('172.16.0.0/12', sourceip) OR
    INCIDR('127.0.0.0/8', sourceip) OR
    INCIDR('169.254.0.0/16', sourceip)
  )
  AND starttime > NOW() - 86400000

UNION ALL

/* Branch 2: Bulk External DNS Enumeration — NS/MX/TXT/SOA/ANY volume threshold */
SELECT
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  'Bulk External DNS Enumeration' AS AlertType,
  70 AS RiskScore,
  sourceip AS SourceIP,
  destinationip AS DestIP,
  CONCAT('QueryCount=', LONG(COUNT(*)), ' UniqueNames=', LONG(UNIQUECOUNT(UTF8(payload)))) AS EventName,
  'DNS Reconnaissance' AS Category,
  CONCAT('bulk_dns_count=', LONG(COUNT(*)), ' src=', TEXT(sourceip)) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (15, 352, 192, 434)
  AND (
    UTF8(payload) ILIKE '% NS %' OR
    UTF8(payload) ILIKE '% MX %' OR
    UTF8(payload) ILIKE '% TXT %' OR
    UTF8(payload) ILIKE '% SOA %' OR
    UTF8(payload) ILIKE '% ANY %'
  )
  AND NOT (
    INCIDR('10.0.0.0/8', sourceip) OR
    INCIDR('192.168.0.0/16', sourceip) OR
    INCIDR('172.16.0.0/12', sourceip) OR
    INCIDR('127.0.0.0/8', sourceip)
  )
  AND starttime > NOW() - 3600000
GROUP BY sourceip, destinationip,
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm')
HAVING COUNT(*) > 30

UNION ALL

/* Branch 3: DNS OSINT Tool Execution — Windows Security/Sysmon Process Create */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  'DNS Enumeration Tool on Endpoint' AS AlertType,
  60 AS RiskScore,
  sourceip AS SourceIP,
  NULL AS DestIP,
  username AS EventName,
  'Endpoint Process Execution' AS Category,
  UTF8(payload) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (13, 434)
  AND QIDNAME(qid) ILIKE '%process%create%'
  AND (
    UTF8(payload) ILIKE '%dnsrecon%' OR
    UTF8(payload) ILIKE '%subfinder%' OR
    UTF8(payload) ILIKE '%amass%' OR
    UTF8(payload) ILIKE '%dnsenum%' OR
    UTF8(payload) ILIKE '%fierce%' OR
    UTF8(payload) ILIKE '%dnsmap%' OR
    UTF8(payload) ILIKE '%gobuster%' OR
    UTF8(payload) ILIKE '%altdns%' OR
    UTF8(payload) ILIKE '%knockpy%' OR
    UTF8(payload) ILIKE '%shuffledns%' OR
    UTF8(payload) ILIKE '%puredns%' OR
    UTF8(payload) ILIKE '%sublist3r%' OR
    UTF8(payload) ILIKE '%dnstwist%'
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, EventTime DESC
LIMIT 1000

high severity medium confidence

Data Sources

Microsoft DNS Server debug logs (LOGSOURCETYPEID 15 — verify in deployment) BIND/named query logs via syslog (LOGSOURCETYPEID 352 — verify in deployment) Windows Security Event Log EventID 4688 process creation (LOGSOURCETYPEID 13) Sysmon EventID 1 process creation via Windows Event Log (LOGSOURCETYPEID 434)

Required Tables

events

False Positives

Secondary DNS server IPs hosted in a DMZ or cloud segment that are not covered by the INCIDR RFC1918 exclusions, triggering false zone transfer alerts during legitimate replication
Network vulnerability scanners (Qualys, Tenable, Rapid7) performing scheduled external DNS record enumeration as part of authorized attack surface assessments
IPAM or DNS management tools performing automated NS/MX/SOA health checks at high frequency that exceed the Branch 2 bulk enumeration COUNT threshold
Authorized penetration testers or red team operators whose source IPs and endpoint hostnames are not suppressed in the detection rule during an active engagement window

Sumo Logic CSE

sql

(_sourceCategory=*dns* OR _sourceCategory=*sysmon* OR _sourceCategory=*windows/events* OR _sourceCategory=*endpoint*)

/* Normalize raw message for multi-source pattern matching */
| parse "*" as raw_msg

/* Branch 1: Zone Transfer keyword detection */
| eval zone_xfer = if(
    raw_msg matches "*AXFR*" or raw_msg matches "*IXFR*" or raw_msg matches "*type=255*",
    "true", "false")

/* Branch 2: Known DNS OSINT tool names in process or command-line fields */
| eval tool_exec = if(
    raw_msg matches "*dnsrecon*" or raw_msg matches "*subfinder*" or
    raw_msg matches "*amass*" or raw_msg matches "*dnsenum*" or
    raw_msg matches "*fierce*" or raw_msg matches "*dnsmap*" or
    raw_msg matches "*gobuster*" or raw_msg matches "*altdns*" or
    raw_msg matches "*knockpy*" or raw_msg matches "*shuffledns*" or
    raw_msg matches "*puredns*" or raw_msg matches "*sublist3r*" or
    raw_msg matches "*dnstwist*",
    "true", "false")

/* Keep only events matching at least one branch */
| where zone_xfer = "true" or tool_exec = "true"

/* Extract source IP with fallback across common field label styles */
| parse regex field=raw_msg "(?i)(?:src_ip|src|source|client|ClientIP|clientip)[=:\s]+(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop

/* Suppress zone transfer alerts originating from RFC1918 / loopback ranges */
| where not (zone_xfer = "true" and (
    src_ip matches "10.*" or src_ip matches "192.168.*" or
    src_ip matches "172.16.*" or src_ip matches "172.17.*" or
    src_ip matches "172.18.*" or src_ip matches "172.19.*" or
    src_ip matches "172.20.*" or src_ip matches "172.21.*" or
    src_ip matches "172.22.*" or src_ip matches "172.23.*" or
    src_ip matches "172.24.*" or src_ip matches "172.25.*" or
    src_ip matches "172.26.*" or src_ip matches "172.27.*" or
    src_ip matches "172.28.*" or src_ip matches "172.29.*" or
    src_ip matches "172.30.*" or src_ip matches "172.31.*" or
    src_ip matches "127.*" or src_ip matches "169.254.*"
  ))

/* Assign alert classification and risk score */
| eval AlertType = if(zone_xfer = "true",
    "External Zone Transfer Attempt",
    "DNS Enumeration Tool on Endpoint")
| eval RiskScore = if(zone_xfer = "true", 90, 60)

/* Extract device/host identifier across common log formats */
| parse regex field=raw_msg "(?i)(?:Computer|ComputerName|hostname|host|device)[=:\s]+(?P<device>[\w\-\.]+)" nodrop

| fields _messagetime, AlertType, RiskScore, device, src_ip, _sourceCategory, raw_msg
| sort by RiskScore desc, _messagetime desc

high severity medium confidence

Data Sources

Windows DNS Server debug logs collected via Sumo Logic Windows Agent BIND/named query logs via syslog collection (_sourceCategory=*dns*) Sysmon EventID 1 (Process Create) via Sumo Logic Windows Agent (_sourceCategory=*sysmon*) Windows Security EventID 4688 (Process Create) via Sumo Logic Windows Agent (_sourceCategory=*windows/events*)

Required Tables

_sourceCategory=*dns* _sourceCategory=*sysmon* _sourceCategory=*windows/events* _sourceCategory=*endpoint*

False Positives

Secondary or slave DNS servers performing authorized AXFR zone replication from IPs in non-RFC1918 segments (hosted DNS, anycast secondaries) not covered by the wildcard exclusion list
SOC analyst workstations running DNS OSINT tools (dnsrecon, amass) during active threat hunting or investigation workflows against external targets
IPAM and DNS management platforms (Infoblox, BlueCat) whose automated NS/MX/SOA health checks appear in process creation logs when they shell out to dig or nslookup
DevOps CI/CD pipeline agents invoking dig or nslookup with NS/MX arguments during infrastructure validation steps, generating endpoint process logs that match the tool_exec branch

Google Chronicle / SecOps

yaral

// Rule 1: External DNS Zone Transfer Attempt (AXFR/IXFR/ANY from non-RFC1918 sources)
rule t1590_002_dns_zone_transfer_external {
  meta:
    author = "Detection Engineer"
    description = "Detects AXFR, IXFR, or ANY DNS queries arriving from non-RFC1918 source IPs"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.002"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "Authorized secondary DNS replication from hosted or DMZ name servers"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    (
      $e.network.dns.questions.type = "AXFR" or
      $e.network.dns.questions.type = "IXFR" or
      $e.network.dns.questions.type = "ANY"
    )
    not net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.principal.ip, "127.0.0.0/8")
    not net.ip_in_range_cidr($e.principal.ip, "169.254.0.0/16")

  condition:
    $e
}

// Rule 2: DNS OSINT Tool or Built-in Utility Abused for Enumeration on Endpoint
rule t1590_002_dns_osint_tool_execution {
  meta:
    author = "Detection Engineer"
    description = "Detects execution of DNS reconnaissance tools or abuse of nslookup/dig with AXFR/enumeration arguments"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.002"
    severity = "HIGH"
    priority = "HIGH"
    false_positives = "Authorized red team operators, security engineers running attack surface tooling"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.principal.process.file.full_path,
        `(?i)(dnsrecon|dnsx|subfinder|amass|fierce|dnsmap|dnsenum|gobuster|dnstwist|dnswalk|shuffledns|puredns|altdns|knockpy)(\.py|\.pl)?$`)
      or
      (
        re.regex($e.principal.process.file.full_path, `(?i)python[23]?(\.exe)?$`) and
        re.regex($e.principal.process.command_line, `(?i)(dnsrecon|dnsenum|fierce|sublist3r|dnstwist)`)
      )
      or
      (
        re.regex($e.principal.process.file.full_path, `(?i)nslookup(\.exe)?$`) and
        re.regex($e.principal.process.command_line, `(?i)(-type=axfr|-q=axfr|-querytype=axfr|-type=any|ls\s+-[dt])`)
      )
      or
      (
        re.regex($e.principal.process.file.full_path, `(?i)(^|[/\\])dig(\.exe)?$`) and
        re.regex($e.principal.process.command_line, `(?i)(axfr|_dmarc|\sMX\s|\sNS\s|\sTXT\s|\+short)`)
      )
    )

  condition:
    $e
}

// Rule 3: Bulk External DNS Enumeration — NS/MX/TXT/SOA/ANY volume over 10-minute window
rule t1590_002_bulk_dns_enumeration {
  meta:
    author = "Detection Engineer"
    description = "Detects bulk NS/MX/TXT/SOA/ANY queries from a single external IP exceeding 30 events or 20 unique names in a 10-minute window"
    mitre_attack_tactic = "Reconnaissance"
    mitre_attack_technique = "T1590.002"
    severity = "MEDIUM"
    priority = "MEDIUM"
    false_positives = "IPAM platforms, vulnerability scanners, authorized attack surface management tools"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    (
      $e.network.dns.questions.type = "NS" or
      $e.network.dns.questions.type = "MX" or
      $e.network.dns.questions.type = "TXT" or
      $e.network.dns.questions.type = "SOA" or
      $e.network.dns.questions.type = "ANY"
    )
    not net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.principal.ip, "127.0.0.0/8")
    $ip = $e.principal.ip
    $name = $e.network.dns.questions.name

  match:
    $ip over 10m

  outcome:
    $unique_names = count_distinct($name)
    $query_count = count()

  condition:
    $query_count > 30 or $unique_names > 20
}

high severity high confidence

Data Sources

Google Chronicle UDM NETWORK_DNS events (from DNS server log ingestion parsers) Google Chronicle UDM PROCESS_LAUNCH events (from CrowdStrike Falcon, Carbon Black, SentinelOne, or Defender forwarded to Chronicle) Chronicle ingestion parsers for Microsoft DNS, BIND, Windows Event Log, and Sysmon

Required Tables

UDM events with metadata.event_type = NETWORK_DNS UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Authorized DNS secondary name servers performing AXFR replication from hosted or cloud-segment IPs not covered by the RFC1918 CIDR exclusions in Rules 1 and 3
Security research or red team endpoints enrolled in Chronicle telemetry that run amass, subfinder, or similar tools during authorized assessments against the organization's own infrastructure
DNS-based monitoring and IPAM solutions (Infoblox, BlueCat, NetBox) generating bulk NS/MX/TXT/SOA queries above the Rule 3 threshold during automated inventory reconciliation
CI/CD pipeline agents querying multiple DNS record types for infrastructure validation during deployments, exceeding the 10-minute window threshold in Rule 3

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("DnsRequest", "ProcessRollup2")
| case {
    /* Branch 1: AXFR/IXFR zone transfer request initiated from enrolled endpoint */
    #event_simpleName = "DnsRequest"
    AND (RequestType = "AXFR" OR RequestType = "IXFR" OR RequestType = "255")
    AND NOT RemoteAddressIP4 = /^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.|169\.254\.)/ |
      AlertType := "External Zone Transfer Attempt" |
      RiskScore := "90" ;

    /* Branch 2: DNS OSINT tool execution or built-in utility abused for enumeration */
    #event_simpleName = "ProcessRollup2"
    AND (
      ImageFileName = /(?i)(dnsrecon|dnsx|subfinder|amass|fierce|dnsmap|dnsenum|gobuster|dnstwist|dnswalk|shuffledns|puredns|altdns|knockpy)(\.py|\.pl)?$/
      OR (
        ImageFileName = /(?i)python[23]?(\.exe)?$/
        AND CommandLine = /(?i)(dnsrecon|dnsenum|fierce|sublist3r|dnstwist)/
      )
      OR (
        ImageFileName = /(?i)nslookup(\.exe)?$/
        AND CommandLine = /(?i)(-type=axfr|-q=axfr|-querytype=axfr|-type=any)/
      )
      OR (
        ImageFileName = /(?i)[/\\]dig(\.exe)?$/
        AND CommandLine = /(?i)(axfr|_dmarc|\sMX\s|\sNS\s|\sTXT\s|\+short)/
      )
    ) |
      AlertType := "DNS Enumeration Tool on Endpoint" |
      RiskScore := "60" ;

    * | drop() ;
  }
| table(
    [timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     RemoteAddressIP4, DomainName, RequestType, AlertType, RiskScore],
    limit=1000
  )
| sort(RiskScore, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon DnsRequest events — endpoint-initiated DNS query telemetry from Falcon sensor CrowdStrike Falcon ProcessRollup2 events — process execution telemetry from Falcon sensor Falcon NG-SIEM / LogScale repository: main (all Falcon sensor events)

Required Tables

#event_simpleName=DnsRequest #event_simpleName=ProcessRollup2

False Positives

Authorized red team or penetration testing agents operating on Falcon-enrolled endpoints during a scheduled engagement where the test window overlaps detection coverage and endpoints are not suppressed via sensor grouping
Security operations or threat hunting analysts running DNS OSINT tools (amass, subfinder, dnsrecon) on enrolled workstations for authorized external asset discovery work
Falcon-enrolled hosts acting as DNS resolvers or secondary name servers that generate DnsRequest telemetry for legitimate AXFR replication queries to external authoritative servers
Developer workstations in security-oriented engineering teams where DNS tooling is installed for network testing, SRE incident response, or DevSecOps pipeline validation

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1590.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain Properties T1590.003Network Trust Dependencies T1590.004Network Topology T1590.005IP Addresses T1590.006Network Security Appliances

DNS

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections