Query Details
DNS Zone Export
Query
# Rule Documentation: DNS Zone Export Commands Execution (PowerShell Command Audit)
## Description
Detects execution of **DNS zone enumeration/export** cmdlets via PowerShell — specifically `Export-DnsServerZone` and `Get-DnsServerZone`. Adversaries export DNS data to map internal hosts and services for lateral movement and targeting. This rule uses PowerShell command audit telemetry (e.g., `DeviceEvents` with `ActionType == "PowerShellCommand"`) and excludes the common benign COM host invocation from `MonitoringHost.exe -Embedding`.
- **Source context:** DFIR cases where attackers export DNS zones to discover internal hostnames and domain controllers (see DFIR Report patterns).
## Detection Logic
- Trigger when a PowerShell command event contains `Export-DnsServerZone` or `Get-DnsServerZone`.
- Exclude benign automation noise where PowerShell is invoked by known monitoring components (example: `MonitoringHost.exe -Embedding`).
- Scope to server-class systems (DNS servers, management hosts) and admin accounts to reduce false positives.
- Prioritise events when:
- Non-admin accounts execute the cmdlets.
- Execution occurs from non-DNS servers or workstations.
- Execution happens during off-hours or outside approved maintenance windows.
- Correlate with:
- Unusual DNS queries or mass DNS lookups from the same host.
- Creation of local files (exports) in uncommon locations.
- Subsequent lateral movement or privilege escalation activity within a short time window.
## Tags
- Discovery
- Reconnaissance
- DNS Enumeration
- PowerShell
- MITRE ATT&CK:
- **T1016** – System Network Configuration Discovery
- **T1046** – Network Service Discovery
## Search Query
```kql
DeviceEvents
| where ActionType == "PowerShellCommand"
| where AdditionalFields has_any ("Export-DnsServerZone", "Get-DnsServerZone")
| where InitiatingProcessCommandLine != @"""MonitoringHost.exe"" -Embedding"
Explanation
This query is designed to detect potentially malicious activity involving the use of PowerShell commands to export or enumerate DNS zones, which could indicate an adversary's attempt to map out internal networks for further attacks. Here's a simplified breakdown:
-
Purpose: The query identifies when specific PowerShell commands (
Export-DnsServerZoneandGet-DnsServerZone) are executed. These commands can be used by attackers to gather information about internal network hosts and services. -
Exclusions: It filters out routine, benign uses of these commands, such as those initiated by known monitoring software (
MonitoringHost.exe -Embedding), to reduce false alarms. -
Focus: The query is particularly concerned with:
- Non-administrative users running these commands.
- Execution from systems that are not typically DNS servers.
- Activity occurring outside normal business hours or scheduled maintenance times.
-
Correlations: It suggests further investigation if:
- There are unusual DNS queries or a high volume of DNS lookups from the same machine.
- DNS data is exported to unexpected file locations.
- There is evidence of lateral movement or attempts to escalate privileges shortly after the DNS commands are run.
-
Relevance: This detection is part of a broader effort to identify reconnaissance activities, which are often precursors to more serious attacks. It aligns with specific tactics in the MITRE ATT&CK framework, such as discovering network configurations and services.
Overall, this query helps security teams spot and investigate suspicious DNS-related activities that could indicate an adversary's reconnaissance efforts.
Details
Ali Hussein
Released: November 10, 2025
Tables
Keywords
Operators