Failed DNS Zone Transfer
Detects when a DNS zone transfer failed.
Sigma rule (View on GitHub)
1title: Failed DNS Zone Transfer
2id: 6d444368-6da1-43fe-b2fc-44202430480e
3status: test
4description: Detects when a DNS zone transfer failed.
5references:
6 - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp
7author: Zach Mathis
8date: 2023/05/24
9tags:
10 - attack.reconnaissance
11 - attack.t1590.002
12logsource:
13 product: windows
14 service: dns-server
15detection:
16 selection:
17 EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2.
18 condition: selection
19falsepositives:
20 - Unlikely
21level: medium
References
-
Catch threats immediately We work side-by-side with you to rapidly detect cyberthreats and thwart attacks before they cause damage. See what we caught
Read More
Related rules
- Suspicious DNS Query for IP Lookup Service APIs
- Bitbucket User Details Export Attempt Detected
- Bitbucket User Permissions Export Attempt
- PUA - PingCastle Execution
- PUA - PingCastle Execution From Potentially Suspicious Parent