Detect DNS/Passive DNS in Microsoft Sentinel
Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include registered name servers, records outlining addressing for subdomains, mail servers, and other hosts. Adversaries may directly query nameservers for a target organization, search centralized repositories of logged DNS query responses (passive DNS services such as CIRCL Passive DNS or SecurityTrails), or seek DNS misconfigurations and zone transfer vulnerabilities that reveal internal network structure. This reconnaissance phase generates no footprint in the victim's environment unless the adversary actively queries the organization's own authoritative DNS servers — making detection primarily possible through DNS server audit logs, high-volume query pattern analysis, and endpoint-based detection of DNS enumeration tools. Information gathered supports subsequent techniques including infrastructure acquisition, phishing campaigns, and external service exploitation.
MITRE ATT&CK
- Tactic
- Reconnaissance
- Technique
- T1596 Search Open Technical Databases
- Sub-technique
- T1596.001 DNS/Passive DNS
- Canonical reference
- https://attack.mitre.org/techniques/T1596/001/
KQL Detection Query
// T1596.001 — DNS/Passive DNS Reconnaissance
// Three detection branches: zone transfer attempts, subdomain enumeration sweeps, and DNS recon tool execution
let DnsEnumTools = dynamic(["dnsrecon", "dnsx", "amass", "subfinder", "fierce", "dnsmap", "massdns", "dnscan", "dnsenum", "aiodnsbrute"]);
let DnsEnumArgs = dynamic(["--axfr", "-t axfr", "zone-transfer", "axfr ", "amass enum", "subfinder -d", "dnsrecon -d", "dnsenum --", "fierce --domain"]);
// Branch 1: DNS Zone Transfer Requests (AXFR/IXFR) hitting internal DNS servers
DnsEvents
| where TimeGenerated > ago(24h)
| where QueryType in ("AXFR", "IXFR")
| extend DetectionBranch = "ZoneTransferAttempt"
| extend RiskScore = 90
| project TimeGenerated, Computer, ClientIP, QueryType, Name, ResultCode, DetectionBranch, RiskScore
| union (
// Branch 2: High-volume subdomain enumeration — many unique labels queried per source IP per hour
DnsEvents
| where TimeGenerated > ago(24h)
| where QueryType in ("A", "AAAA", "MX", "NS", "TXT", "SOA", "CNAME", "SRV")
| extend RootDomain = extract(@"(?:[^.]+\.)?([^.]+\.[^.]+)$", 1, Name)
| where isnotempty(RootDomain)
| summarize
QueryCount = count(),
UniqueSubdomains = dcount(Name),
QueryTypes = make_set(QueryType, 6),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by ClientIP, RootDomain, bin(TimeGenerated, 1h)
| where UniqueSubdomains > 100
| extend DetectionBranch = "SubdomainEnumerationSweep"
| extend RiskScore = 70
| extend Computer = "AuthoritativeDNS"
| project TimeGenerated = FirstSeen, Computer, ClientIP,
QueryType = "EnumerationSweep", Name = RootDomain,
ResultCode = strcat("UniqueSubdomains:", tostring(UniqueSubdomains), "/QueryCount:", tostring(QueryCount)),
DetectionBranch, RiskScore
)
| union (
// Branch 3: DNS enumeration tool execution on monitored endpoints
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (DnsEnumTools)
or ProcessCommandLine has_any (DnsEnumTools)
or ProcessCommandLine has_any (DnsEnumArgs)
| extend DetectionBranch = "DnsEnumToolExecution"
| extend RiskScore = 80
| project TimeGenerated = Timestamp, Computer = DeviceName,
ClientIP = LocalIP, QueryType = "ProcessExecution",
Name = ProcessCommandLine, ResultCode = FileName,
DetectionBranch, RiskScore
)
| sort by RiskScore desc, TimeGenerated descDetects DNS and passive DNS reconnaissance using three complementary branches. Branch 1 monitors the DnsEvents table (requires Azure DNS Analytics or Microsoft DNS Server connector) for AXFR/IXFR zone transfer requests — a direct attempt to dump all DNS records for a zone. Branch 2 identifies high-volume subdomain enumeration by aggregating query counts per source IP per hour against a single root domain and alerting when unique subdomain count exceeds 100. Branch 3 uses DeviceProcessEvents to catch DNS enumeration tools (dnsrecon, amass, subfinder, fierce, massdns) executing on monitored endpoints. A RiskScore field allows analysts to prioritize alerts: zone transfer attempts score 90, tool execution 80, high-volume sweeps 70.
Data Sources
Required Tables
False Positives & Tuning
- Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
- Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory
- Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
- Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records
- DNS enumeration tools executed by the red team, threat hunting team, or security researchers during authorized exercises
Other platforms for T1596.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS Zone Transfer Attempt via dig (AXFR)
Expected signal: Linux auditd: execve syscall for /usr/bin/dig with args 'AXFR zonetransfer.me @nsztm1.digi.ninja'. Network: TCP connection on port 53 to nsztm1.digi.ninja (zone transfers use TCP). Sysmon for Linux Event ID 3: network connection from dig process to port 53. If running on Windows, Sysmon Event ID 1 captures the process creation and Event ID 3 captures the TCP/53 connection.
- Test 2Subdomain Enumeration via dnsrecon
Expected signal: Sysmon for Linux / auditd: process creation for dnsrecon with target domain argument. Network: multiple UDP/TCP port 53 packets to DNS resolvers, including NS, SOA, MX, A, AAAA, TXT query types for example.com and its subdomains. stream:dns logs will show high-volume queries for subdomains of example.com from the test host IP within a short time window.
- Test 3DNS Zone Transfer via nslookup (Windows)
Expected signal: Sysmon Event ID 1: Process Create with Image='C:\Windows\System32\nslookup.exe', CommandLine containing '-type=AXFR'. Sysmon Event ID 3: TCP network connection on port 53 to nsztm1.digi.ninja. Sysmon Event ID 22: DNS query event for zonetransfer.me. Security Event ID 4688 (if command line auditing is enabled) with the full command line.
- Test 4Passive DNS Reconnaissance via subfinder
Expected signal: Sysmon for Linux / auditd: process creation for subfinder binary with '-d example.com' argument. Network: HTTPS connections to passive DNS API endpoints (SecurityTrails, VirusTotal, Censys APIs on port 443) — these will NOT appear as DNS queries against the target's nameservers, which is why passive DNS recon is so difficult to detect from the victim side. File creation event for /tmp/subdomains.txt containing enumerated subdomains.
References (11)
- https://attack.mitre.org/techniques/T1596/001/
- https://www.circl.lu/services/passive-dns/
- https://dnsdumpster.com/
- https://learn.microsoft.com/en-us/azure/sentinel/connect-dns
- https://learn.microsoft.com/en-us/azure/sentinel/dns-normalization-schema
- https://github.com/darkoperator/dnsrecon
- https://github.com/projectdiscovery/subfinder
- https://github.com/owasp-amass/amass
- https://learn.microsoft.com/en-us/windows-server/networking/dns/troubleshoot/disable-dns-zone-transfer
- https://www.sans.org/blog/dns-zone-transfers-a-common-but-preventable-misconfiguration/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1596.001/T1596.001.md
Unlock Pro Content
Get the full detection package for T1596.001 including response playbook, investigation guide, and atomic red team tests.