dns-server.json

{
  "dataset": {
    "name": "EID Quick Reference - DNS Server",
    "version": "1.4.0",
    "generatedAt": "2026-05-10T00:00:00Z",
    "id": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/dns-server.json",
    "schema": "https://raw.githubusercontent.com/zerber0s/windows-eid-data/main/schema.json",
    "license": {
      "name": "Creative Commons Attribution 4.0 International",
      "spdx": "CC-BY-4.0",
      "notice": "Event descriptions are paraphrased summaries written for this dataset. Source links point to authoritative references."
    },
    "sources": [
      {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/",
        "type": "primary"
      }
    ]
  },
  "entries": [
    {
      "id": 257,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Analytical",
      "level": "Information",
      "title": "DNS query received",
      "summary": "The DNS server received and answered a query.",
      "details": "Generated on the DNS server's Analytical channel for every query received and answered. This is the primary event for DNS tunneling and C2-over-DNS detection. Threat actors use DNS as a covert channel by encoding data in subdomains (e.g., data.attacker.com) queried against a controlled authoritative server. Signatures include high query volume to a single domain, long or high-entropy subdomain labels, unusual QTYPE values (TXT, NULL, CNAME) with high frequency, or queries to newly registered domains. The Analytical channel is disabled by default and must be enabled explicitly.",
      "category": "DNS Query",
      "tags": [
        "dns",
        "query",
        "dns-tunneling",
        "c2",
        "exfiltration"
      ],
      "relatedEventIds": [
        {
          "id": 258,
          "log": "DNSServer"
        },
        {
          "id": 263,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1071.004",
          "techniqueName": "Application Layer Protocol: DNS",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        },
        {
          "techniqueId": "T1048.003",
          "techniqueName": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol",
          "tactics": [
            {
              "tacticId": "TA0010",
              "tacticName": "Exfiltration"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "DNS Server Analytical channel is disabled by default. Enable via: dnscmd /config /logLevel 0x8100 or via DNS Server debug logging settings.",
          "command": "wevtutil sl Microsoft-Windows-DNSServer/Analytical /e:true /q:true"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Cluster queries by QNAME apex domain — high volume to a single domain from one client is highest fidelity",
          "Flag high-entropy or long subdomain labels (>30 chars) as likely data encoding",
          "Unusual QTYPE values (TXT, NULL, MX) at high frequency from a workstation are strong C2 indicators",
          "Correlate Source IP with endpoints known to run sensitive data handling processes"
        ],
        "commonFalsePositives": [
          "Content delivery networks with deep subdomain hierarchies",
          "Automated certificate validation (ACME protocol) using TXT record queries",
          "Legitimate DNS-SD (service discovery) generating high QTYPE=PTR/SRV volume"
        ]
      },
      "keyFields": [
        {
          "name": "QNAME",
          "xpath": "EventData/Data[@Name='QNAME']",
          "description": "The queried domain name."
        },
        {
          "name": "QTYPE",
          "xpath": "EventData/Data[@Name='QTYPE']",
          "description": "The DNS record type requested (A, AAAA, TXT, etc.)."
        },
        {
          "name": "Source",
          "xpath": "EventData/Data[@Name='Source']",
          "description": "Client IP address that sent the query."
        },
        {
          "name": "Port",
          "xpath": "EventData/Data[@Name='Port']",
          "description": "Client port number."
        },
        {
          "name": "RCODE",
          "xpath": "EventData/Data[@Name='RCODE']",
          "description": "Response code returned by the server."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 258,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Analytical",
      "level": "Warning",
      "title": "DNS query failed",
      "summary": "The DNS server received a query but returned a non-success response code.",
      "details": "Generated when the DNS server responds to a query with a non-zero RCODE such as NXDOMAIN (name does not exist), SERVFAIL, REFUSED, or NOTIMP. High rates of NXDOMAIN responses from a single client are a canonical indicator of DNS-based C2 beaconing or domain generation algorithm (DGA) traffic, where the malware queries a large list of pseudo-random domains until it finds one that resolves to the active C2 server.",
      "category": "DNS Query",
      "tags": [
        "dns",
        "nxdomain",
        "dga",
        "c2",
        "beaconing"
      ],
      "relatedEventIds": [
        {
          "id": 257,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1568.002",
          "techniqueName": "Dynamic Resolution: Domain Generation Algorithms",
          "tactics": [
            {
              "tacticId": "TA0011",
              "tacticName": "Command and Control"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "DNS Server Analytical channel is disabled by default.",
          "command": "wevtutil sl Microsoft-Windows-DNSServer/Analytical /e:true /q:true"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Count NXDOMAIN responses per source IP per hour — thresholds above ~50/hour from a single client warrant investigation",
          "Extract the apex domains from NXDOMAIN queries and check against DGA detection lists or VirusTotal",
          "Correlate with proxy/firewall logs to see if the client also has unusual HTTP or TCP connections",
          "Correlate queried domain names with threat intelligence on DGA patterns for known malware families"
        ],
        "commonFalsePositives": [
          "Misconfigured applications with hard-coded hostnames that no longer resolve",
          "Development/test environments querying internal hostnames not registered in DNS"
        ]
      },
      "keyFields": [
        {
          "name": "QNAME",
          "xpath": "EventData/Data[@Name='QNAME']",
          "description": "The queried domain name."
        },
        {
          "name": "QTYPE",
          "xpath": "EventData/Data[@Name='QTYPE']",
          "description": "The DNS record type requested."
        },
        {
          "name": "Source",
          "xpath": "EventData/Data[@Name='Source']",
          "description": "Client IP address that sent the query."
        },
        {
          "name": "RCODE",
          "xpath": "EventData/Data[@Name='RCODE']",
          "description": "Response code returned (NXDOMAIN, SERVFAIL, REFUSED, etc.)."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "high",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 263,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Analytical",
      "level": "Information",
      "title": "DNS dynamic update received",
      "summary": "The DNS server received a dynamic update request from a client.",
      "details": "Generated when the DNS server receives a DNS dynamic update (RFC 2136) from a client. While legitimate clients and DHCP servers perform dynamic updates, adversaries with a foothold on a network can register or modify DNS records to redirect traffic or establish persistence. In Active Directory environments, dynamic updates are authenticated via GSS-TSIG (Kerberos), but in non-AD zones or with DHCP relay configurations, unauthenticated updates may be possible.",
      "category": "DNS Dynamic Update",
      "tags": [
        "dns",
        "dynamic-update",
        "dns-hijacking",
        "persistence"
      ],
      "relatedEventIds": [
        {
          "id": 519,
          "log": "DNSServer"
        },
        {
          "id": 520,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        }
      ],
      "prerequisites": [
        {
          "type": "log-enablement",
          "description": "DNS Server Analytical channel is disabled by default.",
          "command": "wevtutil sl Microsoft-Windows-DNSServer/Analytical /e:true /q:true"
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Correlate Source IP with known DHCP server addresses — updates from non-DHCP client IPs are anomalous",
          "Pair with Audit EID 519 to confirm which updates were committed vs. rejected",
          "Check UpdateName against high-value hostnames (DCs, file servers, identity systems)"
        ],
        "commonFalsePositives": [
          "DHCP servers performing DNS dynamic updates on behalf of clients (standard behavior)",
          "Workstations in AD environments registering their own A/AAAA records via secure dynamic update"
        ]
      },
      "keyFields": [
        {
          "name": "UpdateName",
          "xpath": "EventData/Data[@Name='UpdateName']",
          "description": "The DNS record being updated."
        },
        {
          "name": "Source",
          "xpath": "EventData/Data[@Name='Source']",
          "description": "Client IP address that sent the update."
        },
        {
          "name": "RecordData",
          "xpath": "EventData/Data[@Name='RecordData']",
          "description": "The record data being added or changed."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 513,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS zone deleted",
      "summary": "A DNS zone was deleted from the server.",
      "details": "Generated when a DNS zone is deleted from the server. Zone deletion is an uncommon administrative action and a high-fidelity indicator of destructive activity or attacker manipulation of DNS infrastructure. An adversary with DNS admin access could delete forward or reverse lookup zones to cause name resolution failures, supporting a denial-of-service or covering tracks after injecting malicious records.",
      "category": "DNS Zone Management",
      "tags": [
        "dns",
        "zone-deletion",
        "destructive",
        "impact"
      ],
      "relatedEventIds": [
        {
          "id": 514,
          "log": "DNSServer"
        },
        {
          "id": 515,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        },
        {
          "techniqueId": "T1489",
          "techniqueName": "Service Stop",
          "tactics": [
            {
              "tacticId": "TA0040",
              "tacticName": "Impact"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify the admin account that performed the deletion — verify it was an authorized change",
          "Check if the deletion was preceded by a zone transfer (EID 562/563) that may have exfiltrated zone data",
          "Correlate with Active Directory replication events if this is an AD-integrated zone"
        ],
        "commonFalsePositives": [
          "Planned decommissioning of legacy zones during infrastructure migration",
          "Automated DNS management tools performing zone lifecycle operations"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The name of the deleted zone."
        },
        {
          "name": "AdminIdentity",
          "xpath": "EventData/Data[@Name='AdminIdentity']",
          "description": "The administrator account that performed the deletion."
        },
        {
          "name": "DeletionMethod",
          "xpath": "EventData/Data[@Name='DeletionMethod']",
          "description": "How the deletion was performed (console, PowerShell, dnscmd)."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 514,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS zone properties updated",
      "summary": "A DNS zone's configuration properties were modified.",
      "details": "Generated when a zone's configuration is changed -- for example, modifying dynamic update settings (from Secure to Nonsecure, or disabling entirely), changing the zone type (primary/secondary/stub), modifying replication scope, or updating DNSSEC settings. The most security-relevant change is switching dynamic updates from Secure-only to Nonsecure, which would allow unauthenticated clients to register or overwrite DNS records.",
      "category": "DNS Zone Management",
      "tags": [
        "dns",
        "zone-configuration",
        "dynamic-update",
        "tampering"
      ],
      "relatedEventIds": [
        {
          "id": 513,
          "log": "DNSServer"
        },
        {
          "id": 519,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Focus on zones where dynamic update policy was changed from Secure to Nonsecure or None",
          "Verify zone type changes — converting a primary zone to a secondary may indicate exfil setup",
          "Correlate the administrator identity with privileged account monitoring"
        ],
        "commonFalsePositives": [
          "Legitimate administrative changes during DNS infrastructure upgrades",
          "DNSSEC signing operations modifying zone properties"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone whose properties were modified."
        },
        {
          "name": "PropertyChanged",
          "xpath": "EventData/Data[@Name='PropertyChanged']",
          "description": "The specific zone property that was changed."
        },
        {
          "name": "AdminIdentity",
          "xpath": "EventData/Data[@Name='AdminIdentity']",
          "description": "The administrator account that made the change."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 515,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS record created",
      "summary": "A DNS resource record was manually created in a zone.",
      "details": "Generated when a DNS resource record is created manually by an administrator (via DNS Manager, PowerShell, or dnscmd). This is distinct from dynamic update creation (EID 519), which is generated by clients. Manual record creation by unauthorized personnel is a persistence mechanism -- an adversary can create A or CNAME records pointing internal names to attacker-controlled IPs, facilitating internal phishing or credential harvesting.",
      "category": "DNS Record Management",
      "tags": [
        "dns",
        "record-creation",
        "persistence",
        "dns-hijacking"
      ],
      "relatedEventIds": [
        {
          "id": 516,
          "log": "DNSServer"
        },
        {
          "id": 519,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Check RecordData for external or non-RFC1918 IP addresses in internal zones — indicates DNS hijacking",
          "Review RecordName for typosquatted names resembling high-value hosts (e.g., 'dc01' vs 'dc0l')",
          "Correlate the administrator identity with authorized DNS admins and change management records"
        ],
        "commonFalsePositives": [
          "Routine administrative DNS management — adding A records for new servers",
          "Automated provisioning systems that create DNS records as part of server deployment"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone in which the record was created."
        },
        {
          "name": "RecordName",
          "xpath": "EventData/Data[@Name='RecordName']",
          "description": "The name of the created DNS record."
        },
        {
          "name": "RecordType",
          "xpath": "EventData/Data[@Name='RecordType']",
          "description": "The DNS record type (A, CNAME, MX, etc.)."
        },
        {
          "name": "RecordData",
          "xpath": "EventData/Data[@Name='RecordData']",
          "description": "The data value of the record (IP address, target name, etc.)."
        },
        {
          "name": "AdminIdentity",
          "xpath": "EventData/Data[@Name='AdminIdentity']",
          "description": "The administrator account that created the record."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 516,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS record deleted",
      "summary": "A DNS resource record was manually deleted from a zone.",
      "details": "Generated when a DNS resource record is manually deleted by an administrator. Manual deletion of DNS records is a rare, high-signal event. Adversaries with DNS admin access may delete SRV or A records for domain controllers to cause authentication failures (denial of service) or remove records post-exploitation to cover tracks.",
      "category": "DNS Record Management",
      "tags": [
        "dns",
        "record-deletion",
        "cover-tracks",
        "impact"
      ],
      "relatedEventIds": [
        {
          "id": 515,
          "log": "DNSServer"
        },
        {
          "id": 520,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Check deleted RecordType — SRV deletions (especially _ldap._tcp, _kerberos._tcp) cause AD authentication failures",
          "Correlate with EID 519/520 to distinguish manual admin deletion from dynamic update expiry",
          "Review administrator identity — deletions by service accounts or non-DNS-admin identities are anomalous"
        ],
        "commonFalsePositives": [
          "Cleanup of stale PTR or A records during server decommissioning",
          "Automated DNS management tools removing records as part of lifecycle management"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone from which the record was deleted."
        },
        {
          "name": "RecordName",
          "xpath": "EventData/Data[@Name='RecordName']",
          "description": "The name of the deleted DNS record."
        },
        {
          "name": "RecordType",
          "xpath": "EventData/Data[@Name='RecordType']",
          "description": "The DNS record type of the deleted record."
        },
        {
          "name": "AdminIdentity",
          "xpath": "EventData/Data[@Name='AdminIdentity']",
          "description": "The administrator account that performed the deletion."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 519,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS record created via dynamic update",
      "summary": "A DNS resource record was registered or created by a client via the dynamic update protocol.",
      "details": "Generated when the DNS server commits a dynamic update that creates a new resource record. This event captures the DNS record insertion point -- knowing which client IP registered which hostname allows detection of unauthorized or spoofed registrations. An attacker who has compromised a host on the network can register a DNS name pointing to a host they control, facilitating man-in-the-middle attacks for subsequent connections to that name.",
      "category": "DNS Dynamic Update",
      "tags": [
        "dns",
        "dynamic-update",
        "dns-hijacking",
        "lateral-movement",
        "credential-access"
      ],
      "relatedEventIds": [
        {
          "id": 520,
          "log": "DNSServer"
        },
        {
          "id": 263,
          "log": "DNSServer"
        },
        {
          "id": 515,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1557",
          "techniqueName": "Adversary-in-the-Middle",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            },
            {
              "tacticId": "TA0009",
              "tacticName": "Collection"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Verify that Source IP matches the legitimate owner of the registered hostname — mismatches indicate DNS spoofing",
          "Check RecordData against expected IP ranges — updates registering external or unexpected IPs are anomalous",
          "Correlate with DHCP lease logs to confirm the Source IP is the authorized client for that hostname"
        ],
        "commonFalsePositives": [
          "DHCP servers registering records on behalf of DHCP clients (normal operation)",
          "Workstations updating their own A/AAAA records during IP address changes"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone in which the record was created."
        },
        {
          "name": "RecordName",
          "xpath": "EventData/Data[@Name='RecordName']",
          "description": "The name of the created DNS record."
        },
        {
          "name": "RecordType",
          "xpath": "EventData/Data[@Name='RecordType']",
          "description": "The DNS record type created."
        },
        {
          "name": "RecordData",
          "xpath": "EventData/Data[@Name='RecordData']",
          "description": "The data value of the created record."
        },
        {
          "name": "Source",
          "xpath": "EventData/Data[@Name='Source']",
          "description": "Client IP address that sent the dynamic update."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 520,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS record deleted via dynamic update",
      "summary": "A DNS resource record was deleted by a client via the dynamic update protocol.",
      "details": "Generated when the DNS server processes a dynamic update that deletes an existing resource record. Deletions via dynamic update are used by clients when they change IP addresses (DHCP lease release) or when DHCP servers clean up stale records. Adversarial use: an attacker can delete a legitimate hostname's record and re-register it with their own IP (EID 519) -- the sequence EID 520 (delete) followed by EID 519 (create with new IP) for the same RecordName from a different Source IP than the original is a strong indicator of DNS record hijacking.",
      "category": "DNS Dynamic Update",
      "tags": [
        "dns",
        "dynamic-update",
        "dns-hijacking",
        "cover-tracks"
      ],
      "relatedEventIds": [
        {
          "id": 519,
          "log": "DNSServer"
        },
        {
          "id": 516,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1557",
          "techniqueName": "Adversary-in-the-Middle",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            },
            {
              "tacticId": "TA0009",
              "tacticName": "Collection"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Sequence: EID 520 delete → EID 519 create for same RecordName with different Source IP = DNS hijacking",
          "Cross-reference DHCP logs — deletions that don't correspond to DHCP lease releases are anomalous",
          "Prioritize deletions of SRV, MX, or A records for critical infrastructure names"
        ],
        "commonFalsePositives": [
          "DHCP scavenge operations removing stale records with expired timestamps",
          "Client deregistration during normal workstation shutdown or lease release"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone from which the record was deleted."
        },
        {
          "name": "RecordName",
          "xpath": "EventData/Data[@Name='RecordName']",
          "description": "The name of the deleted DNS record."
        },
        {
          "name": "RecordType",
          "xpath": "EventData/Data[@Name='RecordType']",
          "description": "The DNS record type of the deleted record."
        },
        {
          "name": "Source",
          "xpath": "EventData/Data[@Name='Source']",
          "description": "Client IP address that sent the dynamic update."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 562,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS zone transfer (AXFR) initiated",
      "summary": "A full zone transfer was initiated to a secondary DNS server.",
      "details": "Generated when the DNS server initiates or receives a full zone transfer (AXFR). Zone transfers copy the entire zone data to a secondary DNS server. Unauthorized zone transfers are a significant reconnaissance technique -- an attacker who can initiate a zone transfer to a server they control receives a complete inventory of all DNS records in the zone, revealing the full internal network topology, hostnames, IP addresses, and service locations. Zone transfers should be restricted to authorized secondary DNS servers via Allow Transfer configuration.",
      "category": "DNS Zone Transfer",
      "tags": [
        "dns",
        "zone-transfer",
        "axfr",
        "reconnaissance",
        "discovery"
      ],
      "relatedEventIds": [
        {
          "id": 563,
          "log": "DNSServer"
        },
        {
          "id": 513,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1590.002",
          "techniqueName": "Gather Victim Network Information: DNS",
          "tactics": [
            {
              "tacticId": "TA0043",
              "tacticName": "Reconnaissance"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Verify the destination server is in the authorized secondary DNS server list for the zone",
          "Any AXFR to an IP outside expected secondary DNS infrastructure is a critical indicator",
          "Check whether Allow Transfer restrictions are properly configured on all zones"
        ],
        "commonFalsePositives": [
          "Authorized secondary DNS servers performing scheduled full zone synchronization",
          "DNS monitoring or backup tools performing zone data collection"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone being transferred."
        },
        {
          "name": "DestinationServer",
          "xpath": "EventData/Data[@Name='DestinationServer']",
          "description": "The server receiving the zone transfer."
        },
        {
          "name": "InitiatorIdentity",
          "xpath": "EventData/Data[@Name='InitiatorIdentity']",
          "description": "The identity that initiated the transfer."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 563,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS zone transfer (IXFR) initiated",
      "summary": "An incremental zone transfer was initiated to a secondary DNS server.",
      "details": "Generated when the DNS server initiates or services an incremental zone transfer (IXFR), which transfers only changes since the last SOA serial number. While less comprehensive than AXFR (EID 562), repeated IXFR transfers to an unauthorized destination can reconstruct full zone contents over time. The incremental nature also reveals the cadence and content of DNS changes, which may expose recently created attacker infrastructure records or identify newly added hosts of interest.",
      "category": "DNS Zone Transfer",
      "tags": [
        "dns",
        "zone-transfer",
        "ixfr",
        "reconnaissance"
      ],
      "relatedEventIds": [
        {
          "id": 562,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1590.002",
          "techniqueName": "Gather Victim Network Information: DNS",
          "tactics": [
            {
              "tacticId": "TA0043",
              "tacticName": "Reconnaissance"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Apply same checks as EID 562 — verify destination is an authorized secondary server",
          "High-frequency IXFR transfers to the same destination may be attempting to reconstruct full zone data incrementally"
        ],
        "commonFalsePositives": [
          "Authorized secondary DNS servers receiving normal incremental updates",
          "DNS monitoring solutions polling zone change history"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone being transferred."
        },
        {
          "name": "DestinationServer",
          "xpath": "EventData/Data[@Name='DestinationServer']",
          "description": "The server receiving the incremental transfer."
        },
        {
          "name": "SOASerialRange",
          "xpath": "EventData/Data[@Name='SOASerialRange']",
          "description": "The SOA serial number range transferred."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn800669(v=ws.11)"
      },
      "volumeIndicator": "medium",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 577,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS server policy created",
      "summary": "A DNS server-level policy was created.",
      "details": "Generated when a DNS server-level policy is created. DNS policies (introduced in Windows Server 2016) control how the DNS server responds to queries based on client subnet, time of day, or other criteria -- enabling split-horizon DNS, traffic management, and geo-location responses. An adversary with DNS admin access can create malicious response policies that redirect queries for legitimate hostnames to attacker-controlled IPs based on source subnet, effectively enabling targeted DNS hijacking that is invisible to clients outside the targeted subnet.",
      "category": "DNS Policy Management",
      "tags": [
        "dns",
        "dns-policy",
        "persistence",
        "dns-hijacking"
      ],
      "relatedEventIds": [
        {
          "id": 578,
          "log": "DNSServer"
        },
        {
          "id": 579,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        },
        {
          "techniqueId": "T1556",
          "techniqueName": "Modify Authentication Process",
          "tactics": [
            {
              "tacticId": "TA0006",
              "tacticName": "Credential Access"
            },
            {
              "tacticId": "TA0112",
              "tacticName": "Defense Impairment"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Enumerate all DNS server and zone policies — unexpected policies are rare and high-fidelity",
          "Review the policy criteria (client subnet, QNAME match) for targeting of specific internal subnets or hostnames",
          "Correlate the administrator identity with authorized DNS admin accounts"
        ],
        "commonFalsePositives": [
          "Legitimate traffic management policies for split-horizon DNS (internal vs. external views)",
          "Authorized geo-routing or subnet-based response policies"
        ]
      },
      "keyFields": [
        {
          "name": "PolicyName",
          "xpath": "EventData/Data[@Name='PolicyName']",
          "description": "The name of the created policy."
        },
        {
          "name": "AdminIdentity",
          "xpath": "EventData/Data[@Name='AdminIdentity']",
          "description": "The administrator account that created the policy."
        },
        {
          "name": "PolicyScope",
          "xpath": "EventData/Data[@Name='PolicyScope']",
          "description": "The scope of the policy (server-level)."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 578,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS server policy modified",
      "summary": "A DNS server-level policy was modified.",
      "details": "Generated when an existing DNS server-level policy is modified. Policy modifications can change the response behavior for targeted queries without creating a new policy, making them harder to detect than policy creation. Modifications to response rate limiting (RRL) policies or recursive resolution policies may indicate an attacker attempting to weaken DNS security controls.",
      "category": "DNS Policy Management",
      "tags": [
        "dns",
        "dns-policy",
        "tampering"
      ],
      "relatedEventIds": [
        {
          "id": 577,
          "log": "DNSServer"
        },
        {
          "id": 579,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Review old vs. new policy configuration to understand what changed",
          "Flag modifications to RRL (response rate limiting) policies — disabling RRL enables DNS amplification"
        ],
        "commonFalsePositives": [
          "Authorized policy tuning during DNS infrastructure maintenance"
        ]
      },
      "keyFields": [
        {
          "name": "PolicyName",
          "xpath": "EventData/Data[@Name='PolicyName']",
          "description": "The name of the modified policy."
        },
        {
          "name": "AdminIdentity",
          "xpath": "EventData/Data[@Name='AdminIdentity']",
          "description": "The administrator account that modified the policy."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 579,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS server policy deleted",
      "summary": "A DNS server-level policy was deleted.",
      "details": "Generated when a DNS server-level policy is deleted. Policy deletion may indicate cleanup after malicious use (deleting an attacker-created redirect policy post-exploitation) or removal of legitimate security controls such as response rate limiting or recursion restrictions.",
      "category": "DNS Policy Management",
      "tags": [
        "dns",
        "dns-policy",
        "cover-tracks"
      ],
      "relatedEventIds": [
        {
          "id": 577,
          "log": "DNSServer"
        },
        {
          "id": 578,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Review the policy that was deleted — if it was a security control (RRL, recursion restriction), treat as tampering",
          "Correlate with EID 577 creation events to identify policy lifecycle: create → use → delete pattern"
        ],
        "commonFalsePositives": [
          "Authorized policy cleanup after planned DNS infrastructure changes"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-05-10"
    },
    {
      "id": 580,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS zone-level policy created",
      "summary": "A DNS policy was created at the zone level.",
      "details": "Generated when a zone-level DNS policy is created. Zone policies apply to queries for names within a specific zone and can override server-level policies for that zone. This granularity makes zone policies a more targeted mechanism for DNS hijacking -- an adversary can create a zone policy for a high-value zone (e.g., the internal AD domain) that redirects queries for specific hostnames without affecting other zones.",
      "category": "DNS Policy Management",
      "tags": [
        "dns",
        "dns-policy",
        "persistence",
        "dns-hijacking"
      ],
      "relatedEventIds": [
        {
          "id": 577,
          "log": "DNSServer"
        },
        {
          "id": 581,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify the ZoneName — policies on the internal AD DNS zone are highest risk",
          "Review what the policy does: response override for specific QNAMEs is the most dangerous configuration"
        ],
        "commonFalsePositives": [
          "Authorized zone-level policies for split-horizon or selective forwarding configurations"
        ]
      },
      "keyFields": [
        {
          "name": "ZoneName",
          "xpath": "EventData/Data[@Name='ZoneName']",
          "description": "The zone to which the policy applies."
        },
        {
          "name": "PolicyName",
          "xpath": "EventData/Data[@Name='PolicyName']",
          "description": "The name of the created zone policy."
        },
        {
          "name": "AdminIdentity",
          "xpath": "EventData/Data[@Name='AdminIdentity']",
          "description": "The administrator account that created the policy."
        }
      ],
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 581,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS zone-level policy modified",
      "summary": "A DNS policy at the zone level was modified.",
      "details": "Generated when a zone-level DNS policy is modified. Same considerations as EID 578 (server policy modification) but scoped to a specific zone. Zone policy modifications that add new QNAME match conditions or change response redirect targets are highest priority.",
      "category": "DNS Policy Management",
      "tags": [
        "dns",
        "dns-policy",
        "tampering"
      ],
      "relatedEventIds": [
        {
          "id": 580,
          "log": "DNSServer"
        },
        {
          "id": 582,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1584.002",
          "techniqueName": "Compromise Infrastructure: DNS Server",
          "tactics": [
            {
              "tacticId": "TA0042",
              "tacticName": "Resource Development"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Identify what changed — new QNAME conditions or new response override targets are most suspicious",
          "Correlate with EID 257 Analytical events to see if the modified policy changed observed query responses"
        ],
        "commonFalsePositives": [
          "Authorized tuning of zone policies during DNS maintenance"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-04-03"
    },
    {
      "id": 582,
      "log": "DNSServer",
      "provider": "Microsoft-Windows-DNSServer",
      "channel": "Microsoft-Windows-DNSServer/Audit",
      "level": "Information",
      "title": "DNS zone-level policy deleted",
      "summary": "A DNS policy at the zone level was deleted.",
      "details": "Generated when a zone-level DNS policy is deleted. Same considerations as EID 579 (server policy deletion) but scoped to a specific zone. Policy deletion after a period of use may indicate the attacker is cleaning up their redirect configuration after completing the attack objective.",
      "category": "DNS Policy Management",
      "tags": [
        "dns",
        "dns-policy",
        "cover-tracks"
      ],
      "relatedEventIds": [
        {
          "id": 580,
          "log": "DNSServer"
        },
        {
          "id": 581,
          "log": "DNSServer"
        }
      ],
      "mitreAttack": [
        {
          "techniqueId": "T1070",
          "techniqueName": "Indicator Removal",
          "tactics": [
            {
              "tacticId": "TA0005",
              "tacticName": "Stealth"
            }
          ]
        }
      ],
      "notesGuidance": {
        "investigationPivots": [
          "Review EID 580 creation events for the same policy to understand the full lifecycle",
          "Check if the deletion correlates with other attacker activity on the DNS server or DC"
        ],
        "commonFalsePositives": [
          "Authorized cleanup of temporary zone policies"
        ]
      },
      "source": {
        "name": "Microsoft Learn",
        "url": "https://learn.microsoft.com/en-us/windows-server/networking/dns/deploy/dns-policies-overview"
      },
      "volumeIndicator": "low",
      "windowsVersions": {
        "minVersion": "Server 2008"
      },
      "lastReviewed": "2026-05-10"
    }
  ]
}