PUA - Adidnsdump Execution
This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
Sigma rule (View on GitHub)
1title: PUA - Adidnsdump Execution
2id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
3status: test
4description: |
5 This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
6 Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
9author: frack113
10date: 2022/01/01
11modified: 2023/02/21
12tags:
13 - attack.discovery
14 - attack.t1018
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\python.exe'
21 CommandLine|contains: 'adidnsdump'
22 condition: selection
23falsepositives:
24 - Unknown
25level: low
References
Related rules
- DirectorySearcher Powershell Exploitation
- Local Accounts Discovery
- Harvesting Of Wifi Credentials Via Netsh.EXE
- New Network Trace Capture Started Via Netsh.EXE
- Suspicious Reconnaissance Activity Via GatherNetworkInfo.VBS