T1590.002 CrowdStrike LogScale · LogScale

Detect DNS in CrowdStrike LogScale

Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.002 DNS
Canonical reference
https://attack.mitre.org/techniques/T1590/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName in ("DnsRequest", "ProcessRollup2")
| case {
    /* Branch 1: AXFR/IXFR zone transfer request initiated from enrolled endpoint */
    #event_simpleName = "DnsRequest"
    AND (RequestType = "AXFR" OR RequestType = "IXFR" OR RequestType = "255")
    AND NOT RemoteAddressIP4 = /^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|127\.|169\.254\.)/ |
      AlertType := "External Zone Transfer Attempt" |
      RiskScore := "90" ;

    /* Branch 2: DNS OSINT tool execution or built-in utility abused for enumeration */
    #event_simpleName = "ProcessRollup2"
    AND (
      ImageFileName = /(?i)(dnsrecon|dnsx|subfinder|amass|fierce|dnsmap|dnsenum|gobuster|dnstwist|dnswalk|shuffledns|puredns|altdns|knockpy)(\.py|\.pl)?$/
      OR (
        ImageFileName = /(?i)python[23]?(\.exe)?$/
        AND CommandLine = /(?i)(dnsrecon|dnsenum|fierce|sublist3r|dnstwist)/
      )
      OR (
        ImageFileName = /(?i)nslookup(\.exe)?$/
        AND CommandLine = /(?i)(-type=axfr|-q=axfr|-querytype=axfr|-type=any)/
      )
      OR (
        ImageFileName = /(?i)[/\\]dig(\.exe)?$/
        AND CommandLine = /(?i)(axfr|_dmarc|\sMX\s|\sNS\s|\sTXT\s|\+short)/
      )
    ) |
      AlertType := "DNS Enumeration Tool on Endpoint" |
      RiskScore := "60" ;

    * | drop() ;
  }
| table(
    [timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     RemoteAddressIP4, DomainName, RequestType, AlertType, RiskScore],
    limit=1000
  )
| sort(RiskScore, order=desc)
high severity high confidence

CrowdStrike Falcon LogScale (CQL) detection for T1590.002 using a case operator to multiplex across DnsRequest and ProcessRollup2 event types. Branch 1 matches DnsRequest events where RequestType is AXFR, IXFR, or 255 (DNS type ANY) with a regex exclusion of RFC1918, loopback, and APIPA RemoteAddressIP4 ranges — note that Falcon DnsRequest events capture endpoint-initiated DNS queries, so this branch detects internal hosts running zone transfer queries rather than inbound external AXFR attempts against DNS servers (for inbound detection, pair with a DNS server log integration). Branch 2 matches ProcessRollup2 events where ImageFileName contains a known DNS OSINT tool name, or where Python, nslookup, or dig is invoked with zone transfer or enumeration command-line arguments. Events matching neither branch are dropped before the table output. Verify field names (RequestType, DomainName, RemoteAddressIP4) against the Falcon sensor version in your environment as naming can vary across sensor generations.

Data Sources

CrowdStrike Falcon DnsRequest events — endpoint-initiated DNS query telemetry from Falcon sensorCrowdStrike Falcon ProcessRollup2 events — process execution telemetry from Falcon sensorFalcon NG-SIEM / LogScale repository: main (all Falcon sensor events)

Required Tables

#event_simpleName=DnsRequest#event_simpleName=ProcessRollup2

False Positives & Tuning

  • Authorized red team or penetration testing agents operating on Falcon-enrolled endpoints during a scheduled engagement where the test window overlaps detection coverage and endpoints are not suppressed via sensor grouping
  • Security operations or threat hunting analysts running DNS OSINT tools (amass, subfinder, dnsrecon) on enrolled workstations for authorized external asset discovery work
  • Falcon-enrolled hosts acting as DNS resolvers or secondary name servers that generate DnsRequest telemetry for legitimate AXFR replication queries to external authoritative servers
  • Developer workstations in security-oriented engineering teams where DNS tooling is installed for network testing, SRE incident response, or DevSecOps pipeline validation
Download portable Sigma rule (.yml)

Other platforms for T1590.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS Zone Transfer Attempt via nslookup

    Expected signal: Sysmon Event ID 1: Process Create with Image=nslookup.exe, CommandLine containing '-type=axfr'. Sysmon Event ID 3: Network Connection to nsztm1.digi.ninja on TCP/53 (zone transfers require TCP). DNS server debug log (if configured): outbound AXFR query. Windows Security Event ID 4688 (if command line auditing enabled).

  2. Test 2DNS Zone Transfer via dig

    Expected signal: Linux process execution via auditd: execve syscall for /usr/bin/dig with arguments 'axfr zonetransfer.me @nsztm1.digi.ninja'. Network connection on TCP/53 to nsztm1.digi.ninja. Sysmon for Linux Event ID 1 (if deployed): Process Create. Stream:DNS capture shows query_type=AXFR from the endpoint IP.

  3. Test 3DNS Subdomain Enumeration with dnsrecon

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=dnsrecon or python3, CommandLine containing 'dnsrecon' and 'example.com'. Multiple DNS queries for MX, NS, TXT, SOA, A records for example.com visible in stream:dns or DNS server logs. High query count from the endpoint IP within a short window.

  4. Test 4DNS MX and TXT Record Harvesting via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and record type arguments. Sysmon Event ID 22 (DNS Query): Multiple DNS queries for MX, TXT, NS, SOA record types for example.com. PowerShell ScriptBlock Logging Event ID 4104: full script content including all Resolve-DnsName calls.

  5. Test 5Subfinder Passive DNS Enumeration

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=subfinder, CommandLine containing 'example.com' and '-o /tmp/subdomains.txt'. Sysmon for Linux EventCode=11 (File Create): /tmp/subdomains.txt written. Network connections to multiple external threat intelligence APIs (api.shodan.io, virustotal.com, crt.sh) over HTTPS.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1590.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.003Network Trust DependenciesT1590.004Network TopologyT1590.005IP AddressesT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.001Domain PropertiesT1590.005IP AddressesT1596.001DNS/Passive DNST1596.002WHOIST1595Active ScanningT1595.003Wordlist ScanningT1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1133External Remote Services

Same Tactic: Reconnaissance

Popular Detections