diff --git a/source/threat-hunting/ad-integrated-dns-zone-export.md b/source/threat-hunting/ad-integrated-dns-zone-export.md
new file mode 100644
index 0000000..d47e868
--- /dev/null
+++ b/source/threat-hunting/ad-integrated-dns-zone-export.md
@@ -0,0 +1,12 @@
+---
+title: AD integrated DNS zone export
+layout: page
+date: 2025-08-09
+---
+
+References: [1](https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/)
+SPL:
+
+```spl
+index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "XmlWinEventLog:PowerShellCore/Operational") EventCode=4104 ScriptBlockText="*export-dnsserverzone*" ScriptBlockText="*_msdcs*"
+```
diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 603c28e..44976d8 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-08-03
+updated: 2025-08-09
 ---
 
 - [Generate ad_users.csv](ldap-ad-users)
@@ -14,6 +14,7 @@ updated: 2025-08-03
 - [AD Account Deletion](ad-account-deletion)
 - [AD Database Dump](ad-database-dump)
 - [AD Database Read](ad-database-read)
+- [AD integrated DNS zone export](ad-integrated-dns-zone-export)
 - [AD Password Policy Change](ad-password-policy-change)
 - [AD Password Policy Modified](ad-password-policy-modified)
 - [AWS AssumeRoot API operation](aws-assumeroot-api-operation)