T1596.001 DNS/Passive DNS Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1596.001 — DNS/Passive DNS Reconnaissance
// Three detection branches: zone transfer attempts, subdomain enumeration sweeps, and DNS recon tool execution
let DnsEnumTools = dynamic(["dnsrecon", "dnsx", "amass", "subfinder", "fierce", "dnsmap", "massdns", "dnscan", "dnsenum", "aiodnsbrute"]);
let DnsEnumArgs = dynamic(["--axfr", "-t axfr", "zone-transfer", "axfr ", "amass enum", "subfinder -d", "dnsrecon -d", "dnsenum --", "fierce --domain"]);
// Branch 1: DNS Zone Transfer Requests (AXFR/IXFR) hitting internal DNS servers
DnsEvents
| where TimeGenerated > ago(24h)
| where QueryType in ("AXFR", "IXFR")
| extend DetectionBranch = "ZoneTransferAttempt"
| extend RiskScore = 90
| project TimeGenerated, Computer, ClientIP, QueryType, Name, ResultCode, DetectionBranch, RiskScore
| union (
    // Branch 2: High-volume subdomain enumeration — many unique labels queried per source IP per hour
    DnsEvents
    | where TimeGenerated > ago(24h)
    | where QueryType in ("A", "AAAA", "MX", "NS", "TXT", "SOA", "CNAME", "SRV")
    | extend RootDomain = extract(@"(?:[^.]+\.)?([^.]+\.[^.]+)$", 1, Name)
    | where isnotempty(RootDomain)
    | summarize
        QueryCount = count(),
        UniqueSubdomains = dcount(Name),
        QueryTypes = make_set(QueryType, 6),
        FirstSeen = min(TimeGenerated),
        LastSeen = max(TimeGenerated)
        by ClientIP, RootDomain, bin(TimeGenerated, 1h)
    | where UniqueSubdomains > 100
    | extend DetectionBranch = "SubdomainEnumerationSweep"
    | extend RiskScore = 70
    | extend Computer = "AuthoritativeDNS"
    | project TimeGenerated = FirstSeen, Computer, ClientIP,
              QueryType = "EnumerationSweep", Name = RootDomain,
              ResultCode = strcat("UniqueSubdomains:", tostring(UniqueSubdomains), "/QueryCount:", tostring(QueryCount)),
              DetectionBranch, RiskScore
)
| union (
    // Branch 3: DNS enumeration tool execution on monitored endpoints
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName has_any (DnsEnumTools)
        or ProcessCommandLine has_any (DnsEnumTools)
        or ProcessCommandLine has_any (DnsEnumArgs)
    | extend DetectionBranch = "DnsEnumToolExecution"
    | extend RiskScore = 80
    | project TimeGenerated = Timestamp, Computer = DeviceName,
              ClientIP = LocalIP, QueryType = "ProcessExecution",
              Name = ProcessCommandLine, ResultCode = FileName,
              DetectionBranch, RiskScore
)
| sort by RiskScore desc, TimeGenerated desc

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Process: Process Creation Microsoft DNS Server (via Azure Monitor / DNS Analytics solution)

Required Tables

DnsEvents DeviceProcessEvents

False Positives

Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory
Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records
DNS enumeration tools executed by the red team, threat hunting team, or security researchers during authorized exercises

Splunk

spl

| union
[
  search index=dns sourcetype=stream:dns
  | eval QueryType=upper(coalesce(query_type, qtype_name, ""))
  | eval QueryName=coalesce(query, query_name, name, "")
  | eval SourceIP=coalesce(src_ip, src, client_ip)
  | eval ServerIP=coalesce(dest_ip, dest)
  | where QueryType IN ("AXFR", "IXFR")
  | eval DetectionBranch="ZoneTransferAttempt"
  | eval RiskScore=90
  | table _time, host, SourceIP, ServerIP, QueryName, QueryType, DetectionBranch, RiskScore
]
[
  search index=dns sourcetype=stream:dns
  | eval QueryType=upper(coalesce(query_type, qtype_name, ""))
  | eval QueryName=coalesce(query, query_name, name, "")
  | eval SourceIP=coalesce(src_ip, src, client_ip)
  | where QueryType IN ("A", "AAAA", "MX", "NS", "TXT", "SOA", "CNAME", "SRV")
  | rex field=QueryName "(?:[^.]+\.)?(?P<RootDomain>[^.]+\.[^.]+)$"
  | where isnotnull(RootDomain)
  | bin _time span=1h
  | stats count as QueryCount,
          dc(QueryName) as UniqueSubdomains,
          values(QueryType) as QueryTypes
          by _time, SourceIP, RootDomain
  | where UniqueSubdomains > 100
  | eval DetectionBranch="SubdomainEnumerationSweep"
  | eval RiskScore=70
  | eval host="AuthoritativeDNS"
  | table _time, host, SourceIP, RootDomain, QueryCount, UniqueSubdomains, QueryTypes, DetectionBranch, RiskScore
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval CommandLineLower=lower(CommandLine)
  | eval ImageLower=lower(Image)
  | where match(ImageLower, "(dnsrecon|dnsx|amass|subfinder|fierce|dnsmap|massdns|dnscan|dnsenum|aiodnsbrute)")
      OR match(CommandLineLower, "(\-\-axfr|\-t\s+axfr|zone-transfer|axfr\s|amass\s+enum|subfinder\s+-d|dnsrecon\s+-d|dnsenum\s+--|fierce\s+--domain)")
  | eval DetectionBranch="DnsEnumToolExecution"
  | eval RiskScore=80
  | eval SourceIP=src_ip
  | table _time, host, User, Image, CommandLine, ParentImage, DetectionBranch, RiskScore
]
| sort - RiskScore - _time

medium severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Process: Process Creation Splunk Stream (stream:dns) Sysmon Event ID 1

Required Sourcetypes

stream:dns XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized DNS zone transfers from legitimate secondary nameservers — AXFR between ns1 and ns2 of the same organization is expected and should be excluded by source IP allowlist
Scheduled DNS auditing tools in IT operations (Infoblox, BlueCat, SolarWinds IPAM) that perform bulk subdomain queries for inventory and health checks
Authorized penetration test or red team activity generating AXFR attempts and high-volume subdomain queries
DNS enumeration tools running as part of authorized vulnerability management or attack surface management programs (e.g., Shodan's Enterprise ASM, Censys team scan)
CDN providers and load balancer health checkers issuing rapid DNS queries that resemble enumeration traffic

Elastic Security (EQL)

eql

// T1596.001 — DNS/Passive DNS Recon
network where destination.port == 53
  and dns.question.type in ("AXFR", "IXFR")
  and not source.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
    "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*",
    "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*",
    "192.168.*", "127.*")

medium severity medium confidence

Data Sources

Elastic Endpoint Security Sysmon (winlogbeat)

Required Tables

logs-endpoint.events.process-*

False Positives

Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory
Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS "EventTime",
    LOGSOURCENAME(logsourceid) AS "LogSource",
    LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    "username", "sourceip", "destinationip",
    "eventid", "deviceaction", "message",
    CASE
        WHEN "destinationport" = 53 AND (LOWER("requesturl") ILIKE '%axfr%' OR LOWER("payload") ILIKE '%axfr%') THEN 8
        ELSE 4
      END AS "RiskScore"
  FROM events
  WHERE ("destinationport" = 53 AND (LOWER("requesturl") ILIKE '%axfr%' OR LOWER("payload") ILIKE '%axfr%'))
    AND LOGSOURCETYPENAME(devicetype) NOT IN ('SIM Audit', 'Custom Rule Engine')
  ORDER BY "RiskScore" DESC, "EventTime" DESC
  LAST 24 HOURS

medium severity medium confidence

Data Sources

QRadar SIEM Windows Security Events Network Firewall Logs Syslog

Required Tables

events

False Positives

Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory
Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| json auto
| where EventCode = 1
| where Image matches "*powershell*" or Image matches "*wmic*" or Image matches "*cmd*"
| count by host, User, Image, CommandLine
| sort by _count desc

medium severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Log Sources via Sumo Logic Collector

Required Tables

windows/events security/sysmon

False Positives

Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory
Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records

Google Chronicle / SecOps

yaral

rule t1596_001_dns_passive_dns {
  meta:
    author = "df00tech"
    description = "Detects DNS/Passive DNS (T1596.001)"
    mitre_attack_tactic = "TA0043"
    mitre_attack_technique = "T1596.001"
    confidence = "medium"
    severity = "medium"
  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Chronicle UDM

Required Tables

PROCESS_LAUNCH PROCESS_OPEN

False Positives

Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory
Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /powershell\.exe|wmic\.exe|cmd\.exe/i
| CommandLine = /recon|enum|survey|harvest|osint/i
| case {
    CommandLine = /win32_bios|win32_baseboard|bios/i => TechniqueLabel := "T1596.001 - FirmwareEnum";
    CommandLine = /theharvester|recon-ng|spiderfoot/i => TechniqueLabel := "T1596.001 - OSINTTool";
    * => TechniqueLabel := "T1596.001 - Reconnaissance"
  }
| table([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, TechniqueLabel])

medium severity medium confidence

Data Sources

CrowdStrike Falcon CrowdStrike LogScale

Required Tables

ProcessRollup2 ProcessRollup2

False Positives

Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory
Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records

DNS/Passive DNS

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Reconnaissance

Popular Detections