local_zone_enumeration
Explanation
The local_zone_enumeration NDM detects a pattern of DNS activity that is consistent with an attempt to enumerate valid hostnames within an internal domain. As part of their reconnaissance efforts, attackers may wish to enumerate all of the valid hostnames on internal domains in order to discover systems and services to target. If DNS zone transfers are prohibited, attackers may attempt to guess valid names by brute force, which would trigger this NDM.
What to Look For
Examine hosts that are the source of this activity for indicators of compromise.
Related MITRE ATT&CK Categories
Gather Victim Network Information, Technique T1590 - Enterprise
Updated 25 days ago