T1590.002 Sumo Logic CSE · Sumo

Detect DNS in Sumo Logic CSE

Adversaries may gather information about the victim's DNS infrastructure to support targeting. DNS reconnaissance reveals registered name servers, subdomains, mail servers, and host addressing. DNS record types including MX, TXT, SPF, DMARC, and DKIM records expose third-party cloud and SaaS provider usage (Office 365, Google Workspace, Salesforce, Zendesk). Adversaries may perform full DNS zone transfers (AXFR queries) against misconfigured authoritative servers, query passive DNS databases (Circl, SecurityTrails, Shodan), or run OSINT tools such as dnsrecon, subfinder, amass, and fierce. The collected intelligence maps the organization's external attack surface and informs infrastructure acquisition, phishing infrastructure setup, and initial access planning.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1590 Gather Victim Network Information
Sub-technique
T1590.002 DNS
Canonical reference
https://attack.mitre.org/techniques/T1590/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*dns* OR _sourceCategory=*sysmon* OR _sourceCategory=*windows/events* OR _sourceCategory=*endpoint*)

/* Normalize raw message for multi-source pattern matching */
| parse "*" as raw_msg

/* Branch 1: Zone Transfer keyword detection */
| eval zone_xfer = if(
    raw_msg matches "*AXFR*" or raw_msg matches "*IXFR*" or raw_msg matches "*type=255*",
    "true", "false")

/* Branch 2: Known DNS OSINT tool names in process or command-line fields */
| eval tool_exec = if(
    raw_msg matches "*dnsrecon*" or raw_msg matches "*subfinder*" or
    raw_msg matches "*amass*" or raw_msg matches "*dnsenum*" or
    raw_msg matches "*fierce*" or raw_msg matches "*dnsmap*" or
    raw_msg matches "*gobuster*" or raw_msg matches "*altdns*" or
    raw_msg matches "*knockpy*" or raw_msg matches "*shuffledns*" or
    raw_msg matches "*puredns*" or raw_msg matches "*sublist3r*" or
    raw_msg matches "*dnstwist*",
    "true", "false")

/* Keep only events matching at least one branch */
| where zone_xfer = "true" or tool_exec = "true"

/* Extract source IP with fallback across common field label styles */
| parse regex field=raw_msg "(?i)(?:src_ip|src|source|client|ClientIP|clientip)[=:\s]+(?P<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop

/* Suppress zone transfer alerts originating from RFC1918 / loopback ranges */
| where not (zone_xfer = "true" and (
    src_ip matches "10.*" or src_ip matches "192.168.*" or
    src_ip matches "172.16.*" or src_ip matches "172.17.*" or
    src_ip matches "172.18.*" or src_ip matches "172.19.*" or
    src_ip matches "172.20.*" or src_ip matches "172.21.*" or
    src_ip matches "172.22.*" or src_ip matches "172.23.*" or
    src_ip matches "172.24.*" or src_ip matches "172.25.*" or
    src_ip matches "172.26.*" or src_ip matches "172.27.*" or
    src_ip matches "172.28.*" or src_ip matches "172.29.*" or
    src_ip matches "172.30.*" or src_ip matches "172.31.*" or
    src_ip matches "127.*" or src_ip matches "169.254.*"
  ))

/* Assign alert classification and risk score */
| eval AlertType = if(zone_xfer = "true",
    "External Zone Transfer Attempt",
    "DNS Enumeration Tool on Endpoint")
| eval RiskScore = if(zone_xfer = "true", 90, 60)

/* Extract device/host identifier across common log formats */
| parse regex field=raw_msg "(?i)(?:Computer|ComputerName|hostname|host|device)[=:\s]+(?P<device>[\w\-\.]+)" nodrop

| fields _messagetime, AlertType, RiskScore, device, src_ip, _sourceCategory, raw_msg
| sort by RiskScore desc, _messagetime desc
high severity medium confidence

Multi-branch Sumo Logic detection for T1590.002 covering DNS zone transfer attempts and DNS OSINT tool execution. The pipeline fans across DNS server and endpoint/Sysmon source categories, classifies events by branch using conditional eval, then applies RFC1918 wildcard suppression against parsed source IPs for the zone transfer branch. A regex parse with nodrop extracts the source IP across common DNS log field naming conventions (src_ip, ClientIP, client). AlertType and RiskScore are assigned before the final sort. The bulk enumeration branch (>30 queries per 10-minute window) is best deployed as a separate scheduled search: `_sourceCategory=*dns* ("NS" OR "MX" OR "TXT" OR "SOA") | timeslice 10m | parse regex "(?i)(?:src|client)[=:\s]+(?P<src_ip>\d+\.\d+\.\d+\.\d+)" | count by src_ip, _timeslice | where _count > 30`. Cloud SIEM Enterprise customers should map to normalized schema fields: commandLine, srcDevice, listMatches.

Data Sources

Windows DNS Server debug logs collected via Sumo Logic Windows AgentBIND/named query logs via syslog collection (_sourceCategory=*dns*)Sysmon EventID 1 (Process Create) via Sumo Logic Windows Agent (_sourceCategory=*sysmon*)Windows Security EventID 4688 (Process Create) via Sumo Logic Windows Agent (_sourceCategory=*windows/events*)

Required Tables

_sourceCategory=*dns*_sourceCategory=*sysmon*_sourceCategory=*windows/events*_sourceCategory=*endpoint*

False Positives & Tuning

  • Secondary or slave DNS servers performing authorized AXFR zone replication from IPs in non-RFC1918 segments (hosted DNS, anycast secondaries) not covered by the wildcard exclusion list
  • SOC analyst workstations running DNS OSINT tools (dnsrecon, amass) during active threat hunting or investigation workflows against external targets
  • IPAM and DNS management platforms (Infoblox, BlueCat) whose automated NS/MX/SOA health checks appear in process creation logs when they shell out to dig or nslookup
  • DevOps CI/CD pipeline agents invoking dig or nslookup with NS/MX arguments during infrastructure validation steps, generating endpoint process logs that match the tool_exec branch
Download portable Sigma rule (.yml)

Other platforms for T1590.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS Zone Transfer Attempt via nslookup

    Expected signal: Sysmon Event ID 1: Process Create with Image=nslookup.exe, CommandLine containing '-type=axfr'. Sysmon Event ID 3: Network Connection to nsztm1.digi.ninja on TCP/53 (zone transfers require TCP). DNS server debug log (if configured): outbound AXFR query. Windows Security Event ID 4688 (if command line auditing enabled).

  2. Test 2DNS Zone Transfer via dig

    Expected signal: Linux process execution via auditd: execve syscall for /usr/bin/dig with arguments 'axfr zonetransfer.me @nsztm1.digi.ninja'. Network connection on TCP/53 to nsztm1.digi.ninja. Sysmon for Linux Event ID 1 (if deployed): Process Create. Stream:DNS capture shows query_type=AXFR from the endpoint IP.

  3. Test 3DNS Subdomain Enumeration with dnsrecon

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=dnsrecon or python3, CommandLine containing 'dnsrecon' and 'example.com'. Multiple DNS queries for MX, NS, TXT, SOA, A records for example.com visible in stream:dns or DNS server logs. High query count from the endpoint IP within a short window.

  4. Test 4DNS MX and TXT Record Harvesting via PowerShell

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Resolve-DnsName' and record type arguments. Sysmon Event ID 22 (DNS Query): Multiple DNS queries for MX, TXT, NS, SOA record types for example.com. PowerShell ScriptBlock Logging Event ID 4104: full script content including all Resolve-DnsName calls.

  5. Test 5Subfinder Passive DNS Enumeration

    Expected signal: Sysmon for Linux EventCode=1: Process Create with Image=subfinder, CommandLine containing 'example.com' and '-o /tmp/subdomains.txt'. Sysmon for Linux EventCode=11 (File Create): /tmp/subdomains.txt written. Network connections to multiple external threat intelligence APIs (api.shodan.io, virustotal.com, crt.sh) over HTTPS.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1590.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1590Gather Victim Network Information

Related Sub-techniques

T1590.001Domain PropertiesT1590.003Network Trust DependenciesT1590.004Network TopologyT1590.005IP AddressesT1590.006Network Security Appliances

Related Techniques

T1590Gather Victim Network InformationT1590.001Domain PropertiesT1590.005IP AddressesT1596.001DNS/Passive DNST1596.002WHOIST1595Active ScanningT1595.003Wordlist ScanningT1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1133External Remote Services

Same Tactic: Reconnaissance

Popular Detections