Query Details

DNS-Based Internal Network Reconnaissance Sweep

10 DNS Internal Recon Sweep

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(30m)
| summarize
    UniqueDomains    = dcount(DnsQuery),
    TotalQueries     = count(),
    SampleDomains    = make_set(DnsQuery, 15),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SrcIpAddr, SrcHostname
| extend QueriesPerMinute = round(todouble(TotalQueries) / 30.0, 1)
| where UniqueDomains > 300

Explanation

This query is designed to detect suspicious network activity that might indicate a security breach. Specifically, it looks for signs of internal network reconnaissance using DNS queries. Here's a simple breakdown:

  • Purpose: The query identifies computers on a network that are making an unusually high number of DNS queries for different internal hostnames in a short period. This behavior can suggest that an attacker is trying to map out the network after gaining access.

  • How it works:

    • It examines DNS activity logs from the past 30 minutes.
    • It counts how many unique internal hostnames each computer queries.
    • It flags any computer that queries more than 300 unique hostnames in this time frame, as this is considered abnormal.
  • Why it's important:

    • Normal workstations typically query fewer than 100 unique hostnames per hour.
    • Attackers using automated tools (like BloodHound or ADRecon) can generate bursts of DNS queries to discover important network resources quickly.
  • Alert Details:

    • If a computer exceeds the threshold, an alert is generated.
    • The alert includes the computer's hostname, IP address, the number of unique domains queried, and the rate of queries per minute.
  • Severity and Techniques:

    • The severity of this alert is marked as Medium.
    • It relates to tactics and techniques like Remote System Discovery and Network Service Discovery, as defined by MITRE ATT&CK.

Overall, this query helps network administrators detect potential reconnaissance activity that could indicate a compromised system actively mapping the network.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsActivityLogsHostIpAddressNetworkDiscovery

Operators

agosummarizedcountcountmake_setminmaxbyextendroundtodoublewhere

Severity

Medium

Tactics

Discovery

MITRE Techniques

Frequency: 30m

Period: 30m

Actions

GitHub