LoFP / legitimate administration use

Techniques

• t1543
• t1543.003

Sample rules

Potential Discovery Activity Via Dnscmd.EXE

• source: sigma
• technicques:
  • t1543
  • t1543.003

Description

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Detection logic

condition: all of selection_*
selection_cli:
  CommandLine|contains:
  - /enumrecords
  - /enumzones
  - /ZonePrint
  - /info
selection_img:
  Image|endswith: \dnscmd.exe