Query Details
17 DNS ADIDNS Wildcard Abuse
Query
id: a1b2c3d4-0017-4a5b-8c9d-dns017adidns
name: AD-Integrated DNS Wildcard Record Abuse (ADIDNS Poisoning)
description: |
Detects Active Directory Integrated DNS (ADIDNS) wildcard record abuse, a
technique documented by Kevin Robertson (NetSPI) that works in hardened
environments where LLMNR and NBT-NS broadcast poisoning are disabled.
Any domain user with default AD permissions can add a wildcard A record (*)
to the DNS zone, causing all subsequently queried-but-unregistered hostnames
to resolve to the attacker's IP — enabling MiTM, SMB relay, and credential
capture without requiring elevated privileges or broadcast traffic.
Reference: "Beyond LLMNR/NBNS Spoofing — Exploiting Active Directory-Integrated DNS"
https://blog.netspi.com/exploiting-adidns/
Tool: Invoke-DNSUpdate (PowerMad toolkit) or dnscmd wildcard record add
Detection logic:
Within a 2-hour sliding window, this rule identifies DNS queries that
transitioned from NXDOMAIN (first hour) to NOERROR (second hour) for the
same hostnames — a reliable fingerprint of a wildcard record being inserted
mid-session. A legitimate wildcard record would be visible at zone setup;
a sudden mid-session flip across 5+ distinct FQDNs indicates an attack.
MITRE T1557.001 — Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning (DNS equiv)
MITRE T1584.002 — Compromise Infrastructure: DNS Server
severity: High
requiredDataConnectors:
- connectorId: WindowsDnsAma
dataTypes:
- ASimDnsActivityLogs
queryFrequency: 30m
queryPeriod: 2h
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
- CredentialAccess
- LateralMovement
- Collection
relevantTechniques:
- T1557.001
- T1584.002
tags:
- ADIDNS
- Wildcard DNS
- MiTM
- SMB Relay
- Responder
- LLMNR Alternative
query: |
let WindowStart = ago(2h);
let WindowMid = ago(1h);
// FQDNs returning NXDOMAIN in hour 1 (did not exist / unregistered)
let PreviouslyNxdomain =
ASimDnsActivityLogs
| where TimeGenerated between (WindowStart .. WindowMid)
| where DnsResponseCodeName =~ "NXDOMAIN" or DnsResponseCode == 3
| where DnsQueryTypeName in~ ("A", "AAAA")
| summarize NxClients = dcount(SrcIpAddr) by DnsQuery
| where NxClients >= 2; // at least 2 different clients looked it up
// Same FQDNs now returning NOERROR in hour 2 (suddenly resolved)
let NowResolved =
ASimDnsActivityLogs
| where TimeGenerated between (WindowMid .. now())
| where DnsResponseCodeName =~ "NOERROR" or DnsResponseCode == 0
| where DnsQueryTypeName in~ ("A", "AAAA")
| summarize
ResolvedClients = dcount(SrcIpAddr),
AffectedHosts = make_set(SrcHostname, 15),
FirstResolution = min(TimeGenerated)
by DnsQuery
| where ResolvedClients >= 2;
// Inner join: only domains that flipped NXDOMAIN → NOERROR
PreviouslyNxdomain
| join kind=inner NowResolved on DnsQuery
| summarize
FlippedDomains = count(),
SampleDomains = make_set(DnsQuery, 25),
AffectedClients = max(ResolvedClients),
AffectedHosts = make_set(AffectedHosts, 10),
FirstFlipTime = min(FirstResolution)
| where FlippedDomains >= 5
entityMappings: []
customDetails:
FlippedDomains: FlippedDomains
AffectedClients: AffectedClients
alertDetailsOverride:
alertDisplayNameFormat: "ADIDNS Wildcard Abuse — {{FlippedDomains}} domains flipped NXDOMAIN to NOERROR"
alertDescriptionFormat: "{{FlippedDomains}} hostnames that previously returned NXDOMAIN are now resolving (NOERROR), affecting {{AffectedClients}} clients since {{FirstFlipTime}}. This pattern is characteristic of a wildcard A record being injected into AD-Integrated DNS. Sample domains: {{SampleDomains}}"
Explanation
This query is designed to detect a specific type of DNS attack called "AD-Integrated DNS Wildcard Record Abuse" or "ADIDNS Poisoning." Here's a simplified explanation:
-
Purpose: The query identifies when an attacker adds a wildcard DNS record to an Active Directory Integrated DNS. This allows the attacker to redirect any unregistered hostname queries to their own IP address, enabling them to intercept communications (Man-in-the-Middle attacks), relay SMB traffic, and capture credentials without needing high-level permissions.
-
Detection Method:
- The query looks at DNS logs over a 2-hour period.
- In the first hour, it identifies hostnames that returned "NXDOMAIN" (meaning they were not found or unregistered).
- In the second hour, it checks if those same hostnames suddenly resolve successfully (return "NOERROR").
- If this transition from NXDOMAIN to NOERROR happens for 5 or more different hostnames, it suggests a wildcard DNS record was added mid-session, indicating a potential attack.
-
Severity and Impact: The severity is marked as high because this technique can be used for credential access, lateral movement within a network, and data collection.
-
Technical Details:
- The query uses DNS activity logs to track changes in DNS query responses.
- It requires at least two different clients to have queried the hostnames for the detection to be considered valid.
- The query runs every 30 minutes, covering a 2-hour window.
-
Outcome: If the query detects such activity, it generates an alert indicating the number of domains affected and the clients impacted, providing a sample of the domains involved.
Overall, this query helps security teams identify and respond to potential DNS abuse in environments where traditional broadcast poisoning techniques are not possible.
Details
David Alonso
Released: March 26, 2026
Tables
Keywords
Operators