Potential Discovery Activity Via Dnscmd.EXE
Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
Sigma rule (View on GitHub)
1title: Potential Discovery Activity Via Dnscmd.EXE
2id: b6457d63-d2a2-4e29-859d-4e7affc153d1
3status: test
4description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
5references:
6 - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
7 - https://learn.microsoft.com/en-us/azure/dns/dns-zones-records
8 - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
9author: '@gott_cyber'
10date: 2022-07-31
11modified: 2023-02-04
12tags:
13 - attack.discovery
14 - attack.execution
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 Image|endswith: '\dnscmd.exe'
21 selection_cli:
22 CommandLine|contains:
23 - '/enumrecords'
24 - '/enumzones'
25 - '/ZonePrint'
26 - '/info'
27 condition: all of selection_*
28falsepositives:
29 - Legitimate administration use
30level: medium
References
-
-
Dnscmd.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- HackTool - SharpUp PrivEsc Tool Execution
- Potential Product Class Reconnaissance Via Wmic.EXE
- Malicious PowerShell Commandlets - ProcessCreation
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript