T1590.002 Elastic Security · Elastic

Detect DNS in Elastic Security

Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.002 DNS
Canonical reference
https://attack.mitre.org/techniques/T1590/002/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  /* Branch 1: DNS Zone Transfer Attempt from External Source */
  (
    event.category == "dns" and
    dns.question.type in ("AXFR", "IXFR", "255") and
    not source.ip : ("10.*", "192.168.*", "172.16.*", "172.17.*", "172.18.*",
                     "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*",
                     "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*",
                     "172.29.*", "172.30.*", "172.31.*", "127.*", "169.254.*")
  ) or
  /* Branch 2: DNS OSINT Tool or Abuse of Built-in Utilities on Endpoint */
  (
    event.category == "process" and event.type == "start" and
    (
      process.name in~ ("dnsrecon", "dnsrecon.py", "dnsx", "subfinder", "amass",
                         "fierce", "fierce.py", "dnsmap", "dnsenum", "dnsenum.pl",
                         "sublist3r", "gobuster", "dnstwist", "dnswalk", "shuffledns",
                         "puredns", "altdns", "knockpy") or
      (
        process.name in~ ("python", "python3", "python.exe", "python3.exe") and
        process.command_line like~ ("*dnsrecon*", "*dnsenum*", "*fierce*",
                                     "*sublist3r*", "*dnstwist*")
      ) or
      (
        process.name in~ ("nslookup", "nslookup.exe") and
        process.command_line like~ ("*-type=axfr*", "*-q=axfr*",
                                     "*-querytype=axfr*", "*-type=any*",
                                     "*ls -d*", "*ls -t*")
      ) or
      (
        process.name == "dig" and
        process.command_line like~ ("*axfr*", "* any *", "*_dmarc*",
                                     "* MX *", "* NS *", "* TXT *")
      )
    )
  )
high severity high confidence

Detects T1590.002 DNS reconnaissance across two EQL-compatible branches: (1) DNS zone transfer requests (AXFR/IXFR/type 255) from non-RFC1918 source IPs hitting internal DNS infrastructure using ECS dns.question.type and source.ip wildcard exclusions; (2) execution of known DNS OSINT tools or abuse of built-in utilities (nslookup, dig, python wrappers) with zone transfer or enumeration arguments detected via ECS process events. Note: the bulk enumeration branch (>30 queries per 10-minute window from a single IP) requires a separate threshold-type Kibana detection rule with a terms aggregation on source.ip and cannot be expressed as a single EQL event query.

Data Sources

Elastic Agent DNS integration (ECS dns.* event fields)Elastic Endpoint Security agent (ECS process.* fields, event.category=process)Winlogbeat with Sysmon module (EventCode 1 mapped to ECS process.start, EventCode 22 mapped to ECS dns)Packetbeat passive DNS capture (dns.question.type from wire)

Required Tables

logs-endpoint.events.dns-*logs-endpoint.events.process-*winlogbeat-*packetbeat-*

False Positives & Tuning

  • Authorized DNS secondary name servers performing legitimate AXFR zone replication where the secondary's IP falls outside RFC1918 ranges (e.g., hosted secondaries in DMZ or cloud)
  • Security engineers running subfinder, amass, or gobuster on corporate endpoints for authorized external attack surface management scans against the organization's own domains
  • DNS monitoring or IPAM platforms (Infoblox, BlueCat) that invoke dig or nslookup binaries with NS/MX/SOA arguments as part of automated zone health checks
  • DevOps CI/CD pipeline agents executing dig with MX or NS flags during infrastructure provisioning validation steps
Download portable Sigma rule (.yml)

Other platforms for T1590.002

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS Zone Transfer Attempt via nslookup

    Expected signal: Sysmon Event ID 1: Process Create with Image=nslookup.exe, CommandLine containing '-type=axfr'. Sysmon Event ID 3: Network Connection to nsztm1.digi.ninja on TCP/53 (zone transfers require TCP). DNS server debug log (if configured): outbound AXFR query. Windows Security Event ID 4688 (if command line auditing enabled).

  2. Test 2DNS Zone Transfer via dig

    Expected signal: Linux process execution via auditd: execve syscall for /usr/bin/dig with arguments 'axfr zonetransfer.me @nsztm1.digi.ninja'. Network connection on TCP/53 to nsztm1.digi.ninja. Sysmon for Linux Event ID 1 (if deployed): Process Create. Stream:DNS capture shows query_type=AXFR from the endpoint IP.

  3. Test 3DNS Subdomain Enumeration with dnsrecon

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=dnsrecon or python3, CommandLine containing 'dnsrecon' and 'example.com'. Multiple DNS queries for MX, NS, TXT, SOA, A records for example.com visible in stream:dns or DNS server logs. High query count from the endpoint IP within a short window.

  4. Test 4DNS MX and TXT Record Harvesting via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and record type arguments. Sysmon Event ID 22 (DNS Query): Multiple DNS queries for MX, TXT, NS, SOA record types for example.com. PowerShell ScriptBlock Logging Event ID 4104: full script content including all Resolve-DnsName calls.

  5. Test 5Subfinder Passive DNS Enumeration

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=subfinder, CommandLine containing 'example.com' and '-o /tmp/subdomains.txt'. Sysmon for Linux EventCode=11 (File Create): /tmp/subdomains.txt written. Network connections to multiple external threat intelligence APIs (api.shodan.io, virustotal.com, crt.sh) over HTTPS.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1590.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.003Network Trust DependenciesT1590.004Network TopologyT1590.005IP AddressesT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.001Domain PropertiesT1590.005IP AddressesT1596.001DNS/Passive DNST1596.002WHOIST1595Active ScanningT1595.003Wordlist ScanningT1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1133External Remote Services

Same Tactic: Reconnaissance

Popular Detections