DNS-Based Internal Network Reconnaissance Sweep
10 DNS Internal Recon Sweep
Query
ASimDnsActivityLogs
| where TimeGenerated > ago(30m)
| summarize
UniqueDomains = dcount(DnsQuery),
TotalQueries = count(),
SampleDomains = make_set(DnsQuery, 15),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname
| extend QueriesPerMinute = round(todouble(TotalQueries) / 30.0, 1)
| where UniqueDomains > 300Explanation
This query is designed to detect suspicious network activity that might indicate a security breach. Specifically, it looks for signs of internal network reconnaissance using DNS queries. Here's a simple breakdown:
-
Purpose: The query identifies computers on a network that are making an unusually high number of DNS queries for different internal hostnames in a short period. This behavior can suggest that an attacker is trying to map out the network after gaining access.
-
How it works:
- It examines DNS activity logs from the past 30 minutes.
- It counts how many unique internal hostnames each computer queries.
- It flags any computer that queries more than 300 unique hostnames in this time frame, as this is considered abnormal.
-
Why it's important:
- Normal workstations typically query fewer than 100 unique hostnames per hour.
- Attackers using automated tools (like BloodHound or ADRecon) can generate bursts of DNS queries to discover important network resources quickly.
-
Alert Details:
- If a computer exceeds the threshold, an alert is generated.
- The alert includes the computer's hostname, IP address, the number of unique domains queried, and the rate of queries per minute.
-
Severity and Techniques:
- The severity of this alert is marked as Medium.
- It relates to tactics and techniques like Remote System Discovery and Network Service Discovery, as defined by MITRE ATT&CK.
Overall, this query helps network administrators detect potential reconnaissance activity that could indicate a compromised system actively mapping the network.
