cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Reverse DNS Reconnaissance not detected

Stefan Hayduk
Copper Contributor

‎Nov 28 2017 08:13 AM

‎Nov 28 2017 08:13 AM

Reverse DNS Reconnaissance not detected

If you try to dump the DNS reverse lookup zone ATP will not raise an issue. If you execute the following command for your IP Subnet it is undetected by ATP and an attacker will have all your IP Address and Servername combinations:

for /L %i in (1,1,255) do @nslookup 10.1.1.%i 2>nul | find "Name" && echo 10.1.1.%i

Its nice that ATP will detect a full zone transfer, but I don’t think that an attacker will try to dump the entire zone of your active directory domain because in every “default” DNS installation this will not be possible.

 

But using the reverse brute force DNS method is more useful you will provide a lot of useful information. I would recommend that ATP and ATA should detect such a “attack” or Reconnaissance technique. I think its easy to detect a lot of follow up DNS queries from one client or to learn how many queries are “usual” from a specific client and use this information for detecting unusual behaviors.

1,514 Views
1 Like
1 Reply
Reply
1 Reply
Astrid McClean

‎Nov 28 2017 11:56 AM

‎Nov 28 2017 11:56 AM

Re: Reverse DNS Reconnaissance not detected

Thanks for the feedback Stefan.

Don't forget however, that even failed DNS recon attempts generate alerts, and we do see attackers attempting these types of queries whether they are successful or not.

0 Likes
Reply