security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
063bb57dfdabbefb7c84166b7a35dfdabd2b8c90
blue-team-tools/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml
T
Nasreddine Bencherchali 1f34cecadf fix: multiple typos 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-02-06 12:28:45 +01:00

32 lines
1.0 KiB
YAML
Raw Blame History

title: Potential Discovery Activity Via Dnscmd.EXE
id: b6457d63-d2a2-4e29-859d-4e7affc153d1
status: experimental
description: Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.
references:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd
- https://docs.microsoft.com/en-us/azure/dns/dns-zones-records
- https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/
author: '@gott_cyber'
date: 2022/07/31
modified: 2023/02/04
tags:
- attack.discovery
- attack.execution
- attack.t1543.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\dnscmd.exe'
selection_cli:
CommandLine|contains:
- '/enumrecords'
- '/enumzones'
- '/ZonePrint'
- '/info'
condition: all of selection_*
falsepositives:
- Legitimate administration use
level: medium
Reference in New Issue View Git Blame Copy Permalink