curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

feat(threat-hunting): AD integrated DNS zone export

This commit is contained in:
Ming Di Leom 2025-08-09 04:23:26 +00:00
parent a1a8f6c44b
commit a93b2fb5b5
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
2 changed files with 14 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
source/threat-hunting/ad-integrated-dns-zone-export.md Normal file
View File

@ -0,0 +1,12 @@
---
title: AD integrated DNS zone export
layout: page
date: 2025-08-09
---
References: [1](https://thedfirreport.com/2025/08/05/from-bing-search-to-ransomware-bumblebee-and-adaptixc2-deliver-akira/)
SPL:
```spl
index="windows" source IN ("XmlWinEventLog:Microsoft-Windows-PowerShell/Operational", "XmlWinEventLog:PowerShellCore/Operational") EventCode=4104 ScriptBlockText="*export-dnsserverzone*" ScriptBlockText="*_msdcs*"
```

3
source/threat-hunting/index.md
View File

@ -2,7 +2,7 @@
title: Splunk Threat Hunting
layout: page
date: 2025-01-15
updated: 2025-08-03
updated: 2025-08-09
---
- [Generate ad_users.csv](ldap-ad-users)
@ -14,6 +14,7 @@ updated: 2025-08-03
- [AD Account Deletion](ad-account-deletion)
- [AD Database Dump](ad-database-dump)
- [AD Database Read](ad-database-read)
- [AD integrated DNS zone export](ad-integrated-dns-zone-export)
- [AD Password Policy Change](ad-password-policy-change)
- [AD Password Policy Modified](ad-password-policy-modified)
- [AWS AssumeRoot API operation](aws-assumeroot-api-operation)