sigmamediumHunting

Failed DNS Zone Transfer

Detects when a DNS zone transfer failed.

MITRE ATT&CK

reconnaissance

Detection Query

selection:
  EventID: 6004
condition: selection

Author

Zach Mathis

Created

2023-05-24

Data Sources

windowsdns-server

Platforms

windows

References

https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp

Tags

attack.reconnaissanceattack.t1590.002

Raw Content

title: Failed DNS Zone Transfer
id: 6d444368-6da1-43fe-b2fc-44202430480e
status: test
description: Detects when a DNS zone transfer failed.
references:
    - https://kb.eventtracker.com/evtpass/evtpages/EventId_6004_Microsoft-Windows-DNS-Server-Service_65410.asp
author: Zach Mathis
date: 2023-05-24
tags:
    - attack.reconnaissance
    - attack.t1590.002
logsource:
    product: windows
    service: dns-server
detection:
    selection:
        EventID: 6004 # The DNS server received a zone transfer request from %1 for a non-existent or non-authoritative zone %2.
    condition: selection
falsepositives:
    - Unlikely
level: medium