local_zone_enumeration

Explanation

The local_zone_enumeration NDM detects a pattern of DNS activity that is consistent with an attempt to enumerate valid hostnames within an internal domain. As part of their reconnaissance efforts, attackers may wish to enumerate all of the valid hostnames on internal domains in order to discover systems and services to target. If DNS zone transfers are prohibited, attackers may attempt to guess valid names by brute force, which would trigger this NDM.

What to Look For

Examine hosts that are the source of this activity for indicators of compromise.

Related MITRE ATT&CK Categories

Gather Victim Network Information, Technique T1590 - Enterprise