Detection rules › Splunk
Windows Short Lived DNS Record
The following analytic identifies the creation and quick deletion of a DNS object within 300 seconds in an Active Directory environment, indicative of a potential attack abusing DNS. This detection leverages Windows Security Event Codes 5136 and 5137, analyzing the duration between these events. This activity is significant as temporary DNS entries allows attackers to cause unexpecting network trafficking, leading to potential compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Credential Access | T1187 Forced Authentication, T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Collection | T1557.001 Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Command & Control | T1071.004 Application Layer Protocol: DNS |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
| Security-Auditing | 5137 | A directory service object was created. |
Stages and Predicates
Stage 1: search
search ((AttributeLDAPDisplayName="dNSTombstoned" AttributeValue="TRUE" EventCode=5136 ObjectClass="dnsNode") OR (EventCode=5137 ObjectClass="dnsNode"))
Stage 2: stats
stats BY ObjectGUID
Stage 3: where
where
Stage 4: eval
eval ... using (firstTime, lastTime)
Stage 5: where
where time_diff<=300
Stage 6: table
table ObjectGUID, dest, dns_record, firstTime, lastTime, time_diff, user
Stage 7: search
search
Stage 8: search
search
Stage 9: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AttributeLDAPDisplayName | eq |
|
AttributeValue | eq |
|
EventCode | eq |
|
ObjectClass | eq |
|
time_diff | le |
|
Neighbors
Often fire together
Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.
- Potential Kerberos Coercion via DNS-Based SPN Spoofing
- Suspicious Remote Registry Access via SeBackupPrivilege
- Startup/Logon Script added to Group Policy Object
- Scheduled Task Execution at Scale via GPO
- Persistence and Execution at Scale via GPO Scheduled Task
- Potential Kerberos Coercion by Spoofing SPNs via DNS Manipulation
- Startup/Logon Script Added to Group Policy Object
- Windows AD Short Lived Server Object
Share event IDs (chain-detection candidates)
Rules that observe the same Windows event-ID pairs as this one. If you're authoring a multi-stage / sequence rule that spans these events, these are the existing detections that already cover one or both endpoints.