Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / THREAT HUNT / ACTIVE DIRECTORY / ENUMERATION

DNS

This note documents detection patterns related to DNS Enumeration within Active Directory environments.

Direct Indicators

LogEvent IDMeaningForensic ValueNotes
DNS Server LogN/ADNS query loggedHighQueries for internal hostnames and domain records.
Security4624Successful logonMediumAuthentication associated with enumeration host.
Sysmon3Network connectionMediumDNS queries to internal DNS servers.
Sysmon1Process creationHighExecution of DNS reconnaissance tools.

Indirect Indicators

IndicatorWhat To Look ForForensic ValueNotes
High volume DNS queriesMultiple DNS lookups within short timeHighTypical reconnaissance behavior.
Enumeration tool executiondnsrecon, nslookup loops, PowerShell DNS queriesMediumDiscovery activity.
Queries for domain controllersDNS requests targeting DC hostnamesHighIndicates domain mapping.

Common Tools

ToolUsage
nslookupNative DNS query tool.
dnsreconAutomated DNS reconnaissance.
digDNS enumeration tool.
PowerViewEnumerates domain infrastructure.

Relevant Artifacts

  • DNS server logs
  • Network traffic logs
  • Sysmon process logs
  • EDR telemetry
  • Security logs

MITRE ATT&CK References

  • T1046 Network Service Discovery
  • T1590 Gather Victim Network Information

Decision Tree

  1. Detect DNS query spikes.
  2. Identify querying host.
  3. Review query types and targets.
  4. Inspect process responsible for queries.
  5. Determine reconnaissance scope.

Example Detection Templates

KQL

DnsEvents
| summarize count() by Name, bin(TimeGenerated,5m)

EQL

network where destination.port == 53

Sigma

title: DNS Enumeration Activity
logsource:
  product: network
detection:
  selection:
    destination_port: 53
  condition: selection
level: medium

Mitigation & Hardening

Control AreaMitigationEffectivenessNotes
MonitoringAlert on abnormal DNS query volumeMediumDetects reconnaissance.
Network segmentationRestrict DNS queriesLowLimits exposure.
LoggingEnable DNS query loggingHighImproves visibility.