sigmalowHunting

PUA - Adidnsdump Execution

This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed, Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP

MITRE ATT&CK

T1018

discovery

Detection Query

selection:
  Image|endswith: \python.exe
  CommandLine|contains: adidnsdump
condition: selection

Author

frack113

Created

2022-01-01

Data Sources

windowsProcess Creation Events

Platforms

windows

References

https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump

Tags

attack.discoveryattack.t1018

Raw Content

title: PUA - Adidnsdump Execution
id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160
status: test
description: |
    This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks Python 3 and python.exe must be installed,
    Usee to Query/modify DNS records for Active Directory integrated DNS via LDAP
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump
author: frack113
date: 2022-01-01
modified: 2023-02-21
tags:
    - attack.discovery
    - attack.t1018
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\python.exe'
        CommandLine|contains: 'adidnsdump'
    condition: selection
falsepositives:
    - Unknown
level: low