From a93b2fb5b5ed2343145912d9bcd8ca9cc2c388be Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Sat, 9 Aug 2025 04:23:26 +0000
Subject: [PATCH] feat(threat-hunting): AD integrated DNS zone export

---
 .../threat-hunting/ad-integrated-dns-zone-export.md  | 12 ++++++++++++
 source/threat-hunting/index.md                       |  3 ++-
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 source/threat-hunting/ad-integrated-dns-zone-export.md

diff --git a/source/threat-hunting/ad-integrated-dns-zone-export.md b/source/threat-hunting/ad-integrated-dns-zone-export.md
new file mode 100644
index 0000000..d47e868
--- /dev/null
+++ b/source/threat-hunting/ad-integrated-dns-zone-export.md
@@ -0,0 +1,12 @@
+---
+title: AD integrated DNS zone export
+layout: page
+date: 2025-08-09
+---
+
+References: [1](https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/)
+SPL:
+
+```spl
+index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "XmlWinEventLog:PowerShellCore/Operational") EventCode=4104 ScriptBlockText="*export-dnsserverzone*" ScriptBlockText="*_msdcs*"
+```
diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 603c28e..44976d8 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -2,7 +2,7 @@
 title: Splunk Threat Hunting
 layout: page
 date: 2025-01-15
-updated: 2025-08-03
+updated: 2025-08-09
 ---
 
 - [Generate ad_users.csv](ldap-ad-users)
@@ -14,6 +14,7 @@ updated: 2025-08-03
 - [AD Account Deletion](ad-account-deletion)
 - [AD Database Dump](ad-database-dump)
 - [AD Database Read](ad-database-read)
+- [AD integrated DNS zone export](ad-integrated-dns-zone-export)
 - [AD Password Policy Change](ad-password-policy-change)
 - [AD Password Policy Modified](ad-password-policy-modified)
 - [AWS AssumeRoot API operation](aws-assumeroot-api-operation)