Detectionmediumtest

Failed DNS Zone Transfer

Detects when a DNS zone transfer failed.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Zach MathisCreated Wed May 246d444368-6da1-43fe-b2fc-44202430480ewindows

Log Source

Windowsdns-server

ProductWindows← raw: windows

Servicedns-server← raw: dns-server

Detection Logic

detection:
    selection:
        EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2.
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

Resolving title…

kb.eventtracker.com

MITRE ATT&CK

Tactics

TA0043 · Reconnaissance

Sub-techniques

T1590.002 · DNS

Rule Metadata

Rule ID

6d444368-6da1-43fe-b2fc-44202430480e

Status

test

Level

medium

Type

Detection

Created

Wed May 24

Author

Zach Mathis

Path

rules/windows/builtin/dns_server/win_dns_server_failed_dns_zone_transfer.yml

Raw Tags

attack.reconnaissanceattack.t1590.002

View on GitHub