T1590.002 IBM QRadar · QRadar

Detect DNS in IBM QRadar

Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.002 DNS
Canonical reference
https://attack.mitre.org/techniques/T1590/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
/* Branch 1: External DNS Zone Transfer Requests (AXFR/IXFR) */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  'External Zone Transfer Attempt' AS AlertType,
  90 AS RiskScore,
  sourceip AS SourceIP,
  destinationip AS DestIP,
  QIDNAME(qid) AS EventName,
  CATEGORYNAME(highLevelCategory) AS Category,
  UTF8(payload) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (15, 352, 192, 434)
  AND (
    UTF8(payload) ILIKE '%AXFR%' OR
    UTF8(payload) ILIKE '%IXFR%' OR
    UTF8(payload) ILIKE '%type=255%' OR
    UTF8(payload) ILIKE '%qtype=AXFR%'
  )
  AND NOT (
    INCIDR('10.0.0.0/8', sourceip) OR
    INCIDR('192.168.0.0/16', sourceip) OR
    INCIDR('172.16.0.0/12', sourceip) OR
    INCIDR('127.0.0.0/8', sourceip) OR
    INCIDR('169.254.0.0/16', sourceip)
  )
  AND starttime > NOW() - 86400000

UNION ALL

/* Branch 2: Bulk External DNS Enumeration — NS/MX/TXT/SOA/ANY volume threshold */
SELECT
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  'Bulk External DNS Enumeration' AS AlertType,
  70 AS RiskScore,
  sourceip AS SourceIP,
  destinationip AS DestIP,
  CONCAT('QueryCount=', LONG(COUNT(*)), ' UniqueNames=', LONG(UNIQUECOUNT(UTF8(payload)))) AS EventName,
  'DNS Reconnaissance' AS Category,
  CONCAT('bulk_dns_count=', LONG(COUNT(*)), ' src=', TEXT(sourceip)) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (15, 352, 192, 434)
  AND (
    UTF8(payload) ILIKE '% NS %' OR
    UTF8(payload) ILIKE '% MX %' OR
    UTF8(payload) ILIKE '% TXT %' OR
    UTF8(payload) ILIKE '% SOA %' OR
    UTF8(payload) ILIKE '% ANY %'
  )
  AND NOT (
    INCIDR('10.0.0.0/8', sourceip) OR
    INCIDR('192.168.0.0/16', sourceip) OR
    INCIDR('172.16.0.0/12', sourceip) OR
    INCIDR('127.0.0.0/8', sourceip)
  )
  AND starttime > NOW() - 3600000
GROUP BY sourceip, destinationip,
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm')
HAVING COUNT(*) > 30

UNION ALL

/* Branch 3: DNS OSINT Tool Execution — Windows Security/Sysmon Process Create */
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  'DNS Enumeration Tool on Endpoint' AS AlertType,
  60 AS RiskScore,
  sourceip AS SourceIP,
  NULL AS DestIP,
  username AS EventName,
  'Endpoint Process Execution' AS Category,
  UTF8(payload) AS RawEvent
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (13, 434)
  AND QIDNAME(qid) ILIKE '%process%create%'
  AND (
    UTF8(payload) ILIKE '%dnsrecon%' OR
    UTF8(payload) ILIKE '%subfinder%' OR
    UTF8(payload) ILIKE '%amass%' OR
    UTF8(payload) ILIKE '%dnsenum%' OR
    UTF8(payload) ILIKE '%fierce%' OR
    UTF8(payload) ILIKE '%dnsmap%' OR
    UTF8(payload) ILIKE '%gobuster%' OR
    UTF8(payload) ILIKE '%altdns%' OR
    UTF8(payload) ILIKE '%knockpy%' OR
    UTF8(payload) ILIKE '%shuffledns%' OR
    UTF8(payload) ILIKE '%puredns%' OR
    UTF8(payload) ILIKE '%sublist3r%' OR
    UTF8(payload) ILIKE '%dnstwist%'
  )
  AND starttime > NOW() - 86400000
ORDER BY RiskScore DESC, EventTime DESC
LIMIT 1000
high severity medium confidence

Three-branch AQL detection for T1590.002 DNS reconnaissance using UNION ALL to combine alert types. Branch 1 queries DNS log sources (LOGSOURCETYPEID 15=Microsoft DNS, 352=BIND, 192=generic syslog, 434=Sysmon) for AXFR/IXFR payload indicators from external source IPs using INCIDR() for precise RFC1918 exclusion. Branch 2 aggregates NS/MX/TXT/SOA/ANY queries via GROUP BY over a 1-hour window with HAVING COUNT(*) > 30 to surface bulk enumeration from a single external IP. Branch 3 inspects Windows Security Event Log (LOGSOURCETYPEID 13) and Sysmon (434) process creation events for known DNS OSINT tool strings in the event payload. LOGSOURCETYPEID values must be validated against the target QRadar deployment as they vary across installations.

Data Sources

Microsoft DNS Server debug logs (LOGSOURCETYPEID 15 — verify in deployment)BIND/named query logs via syslog (LOGSOURCETYPEID 352 — verify in deployment)Windows Security Event Log EventID 4688 process creation (LOGSOURCETYPEID 13)Sysmon EventID 1 process creation via Windows Event Log (LOGSOURCETYPEID 434)

Required Tables

events

False Positives & Tuning

  • Secondary DNS server IPs hosted in a DMZ or cloud segment that are not covered by the INCIDR RFC1918 exclusions, triggering false zone transfer alerts during legitimate replication
  • Network vulnerability scanners (Qualys, Tenable, Rapid7) performing scheduled external DNS record enumeration as part of authorized attack surface assessments
  • IPAM or DNS management tools performing automated NS/MX/SOA health checks at high frequency that exceed the Branch 2 bulk enumeration COUNT threshold
  • Authorized penetration testers or red team operators whose source IPs and endpoint hostnames are not suppressed in the detection rule during an active engagement window
Download portable Sigma rule (.yml)

Other platforms for T1590.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS Zone Transfer Attempt via nslookup

    Expected signal: Sysmon Event ID 1: Process Create with Image=nslookup.exe, CommandLine containing '-type=axfr'. Sysmon Event ID 3: Network Connection to nsztm1.digi.ninja on TCP/53 (zone transfers require TCP). DNS server debug log (if configured): outbound AXFR query. Windows Security Event ID 4688 (if command line auditing enabled).

  2. Test 2DNS Zone Transfer via dig

    Expected signal: Linux process execution via auditd: execve syscall for /usr/bin/dig with arguments 'axfr zonetransfer.me @nsztm1.digi.ninja'. Network connection on TCP/53 to nsztm1.digi.ninja. Sysmon for Linux Event ID 1 (if deployed): Process Create. Stream:DNS capture shows query_type=AXFR from the endpoint IP.

  3. Test 3DNS Subdomain Enumeration with dnsrecon

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=dnsrecon or python3, CommandLine containing 'dnsrecon' and 'example.com'. Multiple DNS queries for MX, NS, TXT, SOA, A records for example.com visible in stream:dns or DNS server logs. High query count from the endpoint IP within a short window.

  4. Test 4DNS MX and TXT Record Harvesting via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and record type arguments. Sysmon Event ID 22 (DNS Query): Multiple DNS queries for MX, TXT, NS, SOA record types for example.com. PowerShell ScriptBlock Logging Event ID 4104: full script content including all Resolve-DnsName calls.

  5. Test 5Subfinder Passive DNS Enumeration

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=subfinder, CommandLine containing 'example.com' and '-o /tmp/subdomains.txt'. Sysmon for Linux EventCode=11 (File Create): /tmp/subdomains.txt written. Network connections to multiple external threat intelligence APIs (api.shodan.io, virustotal.com, crt.sh) over HTTPS.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1590.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.003Network Trust DependenciesT1590.004Network TopologyT1590.005IP AddressesT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.001Domain PropertiesT1590.005IP AddressesT1596.001DNS/Passive DNST1596.002WHOIST1595Active ScanningT1595.003Wordlist ScanningT1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1133External Remote Services

Same Tactic: Reconnaissance

Popular Detections