Query Details

Subdomain Enumeration Burst — DNS Brute-Force Reconnaissance

15 DNS Subdomain Enum Brute Force

Query

ASimDnsActivityLogs
| where TimeGenerated > ago(1h)
| extend BaseDomain = strcat(
      tostring(split(DnsQuery, ".")[-2]), ".",
      tostring(split(DnsQuery, ".")[-1])
    )
| where isnotempty(BaseDomain) and BaseDomain !~ "."
| summarize
    SubdomainCount   = dcount(DnsQuery),
    TotalQueries     = count(),
    NxdomainCount    = countif(DnsResponseCodeName =~ "NXDOMAIN" or DnsResponseCode == 3),
    SampleSubs       = make_set(DnsQuery, 15),
    FirstSeen        = min(TimeGenerated),
    LastSeen         = max(TimeGenerated)
  by SrcIpAddr, SrcHostname, BaseDomain
| where SubdomainCount > 30
| extend NxdomainRate = round(todouble(NxdomainCount) / todouble(TotalQueries) * 100.0, 1)

Explanation

This query is designed to detect suspicious activity related to DNS subdomain enumeration, which is a technique often used by attackers to map out a target's network by resolving many potential subdomains. Here's a simple breakdown of what the query does:

  1. Purpose: It identifies instances where a single client (identified by IP address and hostname) resolves more than 30 unique subdomains of the same base domain within a one-hour period. This is considered a strong indicator of automated subdomain enumeration, a reconnaissance technique.

  2. Data Source: The query uses DNS activity logs from the WindowsDnsAma connector, specifically the ASimDnsActivityLogs data type.

  3. Process:

    • It looks at DNS queries made in the last hour.
    • It extracts the base domain from each DNS query.
    • It counts the number of unique subdomains queried for each base domain by each client.
    • It also calculates the total number of queries and the number of queries that resulted in a "non-existent domain" (NXDOMAIN) response.
  4. Threshold: The query flags any client that has queried more than 30 unique subdomains of the same base domain in one hour.

  5. Output: For each flagged instance, it provides:

    • The number of unique subdomains queried (SubdomainCount).
    • The total number of queries and the rate of NXDOMAIN responses (NxdomainRate).
    • A sample of up to 15 subdomains queried.
    • The time range during which these queries were made.
  6. Alerting: If the conditions are met, an alert is generated with details about the client and the activity, indicating potential automated DNS enumeration.

  7. Relevance: This activity is associated with reconnaissance and discovery tactics, specifically related to MITRE ATT&CK techniques T1590.002 (Gather Victim Network Information: DNS) and T1046 (Network Service Scanning).

In summary, this query helps identify potential reconnaissance activities by detecting patterns of DNS subdomain enumeration, which could indicate an attacker mapping out a network's structure.

Details

David Alonso profile picture

David Alonso

Released: March 26, 2026

Tables

ASimDnsActivityLogs

Keywords

DnsSubdomainEnumerationReconnaissanceHostIPDomainName

Operators

ASimDnsActivityLogswhereTimeGeneratedagoextendstrcattostringsplitisnotempty!~summarizedcountcountcountif=~make_setminmaxby>roundtodouble/*entityMappingsalertDetailsOverridealertDisplayNameFormatalertDescriptionFormatcustomDetails

Severity

Medium

Tactics

ReconnaissanceDiscovery

MITRE Techniques

Frequency: 1h

Period: 1h

Actions

GitHub