T1596.001 Splunk · SPL

Detect DNS/Passive DNS in Splunk

Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include registered name servers, records outlining addressing for subdomains, mail servers, and other hosts. Adversaries may directly query nameservers for a target organization, search centralized repositories of logged DNS query responses (passive DNS services such as CIRCL Passive DNS or SecurityTrails), or seek DNS misconfigurations and zone transfer vulnerabilities that reveal internal network structure. This reconnaissance phase generates no footprint in the victim's environment unless the adversary actively queries the organization's own authoritative DNS servers — making detection primarily possible through DNS server audit logs, high-volume query pattern analysis, and endpoint-based detection of DNS enumeration tools. Information gathered supports subsequent techniques including infrastructure acquisition, phishing campaigns, and external service exploitation.

MITRE ATT&CK

Tactic
Reconnaissance
Technique
T1596 Search Open Technical Databases
Sub-technique
T1596.001 DNS/Passive DNS
Canonical reference
https://attack.mitre.org/techniques/T1596/001/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=dns sourcetype=stream:dns
  | eval QueryType=upper(coalesce(query_type, qtype_name, ""))
  | eval QueryName=coalesce(query, query_name, name, "")
  | eval SourceIP=coalesce(src_ip, src, client_ip)
  | eval ServerIP=coalesce(dest_ip, dest)
  | where QueryType IN ("AXFR", "IXFR")
  | eval DetectionBranch="ZoneTransferAttempt"
  | eval RiskScore=90
  | table _time, host, SourceIP, ServerIP, QueryName, QueryType, DetectionBranch, RiskScore
]
[
  search index=dns sourcetype=stream:dns
  | eval QueryType=upper(coalesce(query_type, qtype_name, ""))
  | eval QueryName=coalesce(query, query_name, name, "")
  | eval SourceIP=coalesce(src_ip, src, client_ip)
  | where QueryType IN ("A", "AAAA", "MX", "NS", "TXT", "SOA", "CNAME", "SRV")
  | rex field=QueryName "(?:[^.]+\.)?(?P<RootDomain>[^.]+\.[^.]+)$"
  | where isnotnull(RootDomain)
  | bin _time span=1h
  | stats count as QueryCount,
          dc(QueryName) as UniqueSubdomains,
          values(QueryType) as QueryTypes
          by _time, SourceIP, RootDomain
  | where UniqueSubdomains > 100
  | eval DetectionBranch="SubdomainEnumerationSweep"
  | eval RiskScore=70
  | eval host="AuthoritativeDNS"
  | table _time, host, SourceIP, RootDomain, QueryCount, UniqueSubdomains, QueryTypes, DetectionBranch, RiskScore
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval CommandLineLower=lower(CommandLine)
  | eval ImageLower=lower(Image)
  | where match(ImageLower, "(dnsrecon|dnsx|amass|subfinder|fierce|dnsmap|massdns|dnscan|dnsenum|aiodnsbrute)")
      OR match(CommandLineLower, "(\-\-axfr|\-t\s+axfr|zone-transfer|axfr\s|amass\s+enum|subfinder\s+-d|dnsrecon\s+-d|dnsenum\s+--|fierce\s+--domain)")
  | eval DetectionBranch="DnsEnumToolExecution"
  | eval RiskScore=80
  | eval SourceIP=src_ip
  | table _time, host, User, Image, CommandLine, ParentImage, DetectionBranch, RiskScore
]
| sort - RiskScore - _time
medium severity medium confidence

Detects DNS/Passive DNS reconnaissance via three SPL branches unioned together. Branch 1 monitors stream:dns sourcetype for AXFR/IXFR zone transfer requests (RiskScore 90). Branch 2 aggregates stream:dns records hourly per source IP and root domain, alerting on more than 100 unique subdomain queries within an hour (RiskScore 70). Branch 3 uses Sysmon Event ID 1 (Process Creation) to detect DNS enumeration tools (dnsrecon, amass, subfinder, fierce, massdns) by image name or command-line patterns (RiskScore 80). Results are sorted by risk score descending for analyst prioritization.

Data Sources

Network Traffic: Network Traffic ContentProcess: Process CreationSplunk Stream (stream:dns)Sysmon Event ID 1

Required Sourcetypes

stream:dnsXmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized DNS zone transfers from legitimate secondary nameservers — AXFR between ns1 and ns2 of the same organization is expected and should be excluded by source IP allowlist
  • Scheduled DNS auditing tools in IT operations (Infoblox, BlueCat, SolarWinds IPAM) that perform bulk subdomain queries for inventory and health checks
  • Authorized penetration test or red team activity generating AXFR attempts and high-volume subdomain queries
  • DNS enumeration tools running as part of authorized vulnerability management or attack surface management programs (e.g., Shodan's Enterprise ASM, Censys team scan)
  • CDN providers and load balancer health checkers issuing rapid DNS queries that resemble enumeration traffic
Download portable Sigma rule (.yml)

Other platforms for T1596.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1DNS Zone Transfer Attempt via dig (AXFR)

    Expected signal: Linux auditd: execve syscall for /usr/bin/dig with args 'AXFR zonetransfer.me @nsztm1.digi.ninja'. Network: TCP connection on port 53 to nsztm1.digi.ninja (zone transfers use TCP). Sysmon for Linux Event ID 3: network connection from dig process to port 53. If running on Windows, Sysmon Event ID 1 captures the process creation and Event ID 3 captures the TCP/53 connection.

  2. Test 2Subdomain Enumeration via dnsrecon

    Expected signal: Sysmon for Linux / auditd: process creation for dnsrecon with target domain argument. Network: multiple UDP/TCP port 53 packets to DNS resolvers, including NS, SOA, MX, A, AAAA, TXT query types for example.com and its subdomains. stream:dns logs will show high-volume queries for subdomains of example.com from the test host IP within a short time window.

  3. Test 3DNS Zone Transfer via nslookup (Windows)

    Expected signal: Sysmon Event ID 1: Process Create with Image='C:\Windows\System32\nslookup.exe', CommandLine containing '-type=AXFR'. Sysmon Event ID 3: TCP network connection on port 53 to nsztm1.digi.ninja. Sysmon Event ID 22: DNS query event for zonetransfer.me. Security Event ID 4688 (if command line auditing is enabled) with the full command line.

  4. Test 4Passive DNS Reconnaissance via subfinder

    Expected signal: Sysmon for Linux / auditd: process creation for subfinder binary with '-d example.com' argument. Network: HTTPS connections to passive DNS API endpoints (SecurityTrails, VirusTotal, Censys APIs on port 443) — these will NOT appear as DNS queries against the target's nameservers, which is why passive DNS recon is so difficult to detect from the victim side. File creation event for /tmp/subdomains.txt containing enumerated subdomains.

Last updated: 2026-03-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1596.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1596Search Open Technical Databases

Related Sub-techniques

T1596.002WHOIST1596.003Digital CertificatesT1596.004CDNsT1596.005Scan Databases

Related Techniques

T1596Search Open Technical DatabasesT1596.002WHOIST1590.002DNST1590.005IP AddressesT1594Search Victim-Owned WebsitesT1595.001Scanning IP BlocksT1595.002Vulnerability ScanningT1583.001DomainsT1584.001Compromise Infrastructure: DomainsT1133External Remote ServicesT1199Trusted Relationship

Same Tactic: Reconnaissance

Popular Detections