Query Details
10 DNS Internal Recon Sweep
Query
id: a1b2c3d4-0010-4a5b-8c9d-dns010recon
name: DNS-Based Internal Network Reconnaissance Sweep
description: |
Detects post-compromise internal network reconnaissance via DNS by identifying
clients that query an abnormally high number of unique internal hostnames in a
short window. After gaining a foothold, attackers enumerate domain controllers,
file servers, databases, and admin tools by resolving their DNS names.
Automated recon tools (BloodHound, ADRecon, nmap) generate characteristic
DNS query bursts resolving hundreds of internal names in minutes.
Normal workstations resolve <100 unique hostnames per hour.
MITRE T1018 — Remote System Discovery, T1046 — Network Service Discovery
severity: Medium
requiredDataConnectors:
- connectorId: WindowsDnsAma
dataTypes:
- ASimDnsActivityLogs
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- Discovery
relevantTechniques:
- T1018
- T1046
- T1590.002
tags:
- Internal Recon
- DNS Enumeration
- BloodHound
- ADRecon
- Network Discovery
query: |
ASimDnsActivityLogs
| where TimeGenerated > ago(30m)
| summarize
UniqueDomains = dcount(DnsQuery),
TotalQueries = count(),
SampleDomains = make_set(DnsQuery, 15),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by SrcIpAddr, SrcHostname
| extend QueriesPerMinute = round(todouble(TotalQueries) / 30.0, 1)
| where UniqueDomains > 300
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: SrcHostname
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
alertDetailsOverride:
alertDisplayNameFormat: "DNS Recon Sweep — {{SrcHostname}} resolved {{UniqueDomains}} unique domains in 30 min"
alertDescriptionFormat: "{{SrcHostname}} ({{SrcIpAddr}}) resolved {{UniqueDomains}} unique domains in 30 minutes (~{{QueriesPerMinute}} q/min). This exceeds the normal threshold of 300 and may indicate post-compromise network enumeration."
customDetails:
UniqueDomains: UniqueDomains
QueriesPerMinute: QueriesPerMinute
Explanation
This query is designed to detect suspicious network activity that might indicate a security breach. Specifically, it looks for signs of internal network reconnaissance using DNS queries. Here's a simple breakdown:
-
Purpose: The query identifies computers on a network that are making an unusually high number of DNS queries for different internal hostnames in a short period. This behavior can suggest that an attacker is trying to map out the network after gaining access.
-
How it works:
- It examines DNS activity logs from the past 30 minutes.
- It counts how many unique internal hostnames each computer queries.
- It flags any computer that queries more than 300 unique hostnames in this time frame, as this is considered abnormal.
-
Why it's important:
- Normal workstations typically query fewer than 100 unique hostnames per hour.
- Attackers using automated tools (like BloodHound or ADRecon) can generate bursts of DNS queries to discover important network resources quickly.
-
Alert Details:
- If a computer exceeds the threshold, an alert is generated.
- The alert includes the computer's hostname, IP address, the number of unique domains queried, and the rate of queries per minute.
-
Severity and Techniques:
- The severity of this alert is marked as Medium.
- It relates to tactics and techniques like Remote System Discovery and Network Service Discovery, as defined by MITRE ATT&CK.
Overall, this query helps network administrators detect potential reconnaissance activity that could indicate a compromised system actively mapping the network.
Details
David Alonso
Released: March 26, 2026
Tables
Keywords
Operators