KQL Search

Query Details

15 DNS Subdomain Enum Brute Force

Query

id: a1b2c3d4-0015-4a5b-8c9d-dns015subenum
name: Subdomain Enumeration Burst — DNS Brute-Force Reconnaissance
description: |
  Detects rapid DNS subdomain brute-force enumeration — a common reconnaissance
  technique where attackers resolve thousands of potential subdomains of a target
  domain to discover hosts, services, and attack surface.
  Tools that generate this pattern: dnsniper, sublist3r, amass, massdns, dnsrecon,
  gobuster dns mode, ffuf with DNS mode.
  A single client resolving 30+ unique subdomains of the same base domain
  within 1 hour is a strong indicator of automated enumeration.
  This differs from DGA detection (Q04/Rule12) in targeting a specific base domain
  rather than random FQDNs.
  MITRE T1590.002, T1046
severity: Medium
requiredDataConnectors:
  - connectorId: WindowsDnsAma
    dataTypes:
      - ASimDnsActivityLogs
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - Reconnaissance
  - Discovery
relevantTechniques:
  - T1590.002
  - T1046
tags:
  - Subdomain Enumeration
  - DNS Brute Force
  - dnsniper
  - sublist3r
  - amass
  - massdns
query: |
  ASimDnsActivityLogs
  | where TimeGenerated > ago(1h)
  | extend BaseDomain = strcat(
        tostring(split(DnsQuery, ".")[-2]), ".",
        tostring(split(DnsQuery, ".")[-1])
      )
  | where isnotempty(BaseDomain) and BaseDomain !~ "."
  | summarize
      SubdomainCount   = dcount(DnsQuery),
      TotalQueries     = count(),
      NxdomainCount    = countif(DnsResponseCodeName =~ "NXDOMAIN" or DnsResponseCode == 3),
      SampleSubs       = make_set(DnsQuery, 15),
      FirstSeen        = min(TimeGenerated),
      LastSeen         = max(TimeGenerated)
    by SrcIpAddr, SrcHostname, BaseDomain
  | where SubdomainCount > 30
  | extend NxdomainRate = round(todouble(NxdomainCount) / todouble(TotalQueries) * 100.0, 1)
entityMappings:
  - entityType: Host
    fieldMappings:
      - identifier: HostName
        columnName: SrcHostname
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: SrcIpAddr
  - entityType: DNS
    fieldMappings:
      - identifier: DomainName
        columnName: BaseDomain
alertDetailsOverride:
  alertDisplayNameFormat: "DNS Subdomain Enum — {{SrcHostname}} brute-forced {{SubdomainCount}} subdomains of {{BaseDomain}}"
  alertDescriptionFormat: "{{SrcHostname}} ({{SrcIpAddr}}) resolved {{SubdomainCount}} unique subdomains of {{BaseDomain}} in 1 hour (NXDOMAIN rate: {{NxdomainRate}}%). This indicates automated DNS enumeration. Sample: {{SampleSubs}}"
customDetails:
  SubdomainCount: SubdomainCount
  BaseDomain: BaseDomain
  NxdomainRate: NxdomainRate

Explanation

This query is designed to detect suspicious activity related to DNS subdomain enumeration, which is a technique often used by attackers to map out a target's network by resolving many potential subdomains. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies instances where a single client (identified by IP address and hostname) resolves more than 30 unique subdomains of the same base domain within a one-hour period. This is considered a strong indicator of automated subdomain enumeration, a reconnaissance technique.

  2. Data Source: The query uses DNS activity logs from the WindowsDnsAma connector, specifically the ASimDnsActivityLogs data type.

  3. Process:

    • It looks at DNS queries made in the last hour.
    • It extracts the base domain from each DNS query.
    • It counts the number of unique subdomains queried for each base domain by each client.
    • It also calculates the total number of queries and the number of queries that resulted in a "non-existent domain" (NXDOMAIN) response.

  4. Threshold: The query flags any client that has queried more than 30 unique subdomains of the same base domain in one hour.

  5. Output: For each flagged instance, it provides:

    • The number of unique subdomains queried (SubdomainCount).
    • The total number of queries and the rate of NXDOMAIN responses (NxdomainRate).
    • A sample of up to 15 subdomains queried.
    • The time range during which these queries were made.

  6. Alerting: If the conditions are met, an alert is generated with details about the client and the activity, indicating potential automated DNS enumeration.

  7. Relevance: This activity is associated with reconnaissance and discovery tactics, specifically related to MITRE ATT&CK techniques T1590.002 (Gather Victim Network Information: DNS) and T1046 (Network Service Scanning).

In summary, this query helps identify potential reconnaissance activities by detecting patterns of DNS subdomain enumeration, which could indicate an attacker mapping out a network's structure.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsSubdomainEnumerationReconnaissanceHostIPDomainName

Operators

ASimDnsActivityLogswhereTimeGeneratedagoextendstrcattostringsplitisnotempty!~summarizedcountcountcountif=~make_setminmaxby>extendroundtodouble/*entityMappingsalertDetailsOverridealertDisplayNameFormatalertDescriptionFormatcustomDetails

Actions