Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potential Discovery Activity Via Dnscmd.EXE

Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
@gott_cyberCreated Sun Jul 31Updated Sat Feb 04b6457d63-d2a2-4e29-859d-4e7affc153d1windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_img:
        Image|endswith: '\dnscmd.exe'
    selection_cli:
        CommandLine|contains:
            - '/enumrecords'
            - '/enumzones'
            - '/ZonePrint'
            - '/info'
    condition: all of selection_*
False Positives

Legitimate administration use

References
1
Resolving title…
learn.microsoft.com
2
Resolving title…
learn.microsoft.com
3
Resolving title…
lolbas-project.github.io
MITRE ATT&CK
Rule Metadata
Rule ID
b6457d63-d2a2-4e29-859d-4e7affc153d1
Status
test
Level
medium
Type
Detection
Created
Sun Jul 31
Modified
Sat Feb 04
Author
@gott_cyber
Path
rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml
Raw Tags
attack.discoveryattack.execution
View on GitHub