analyst security skill risk: medium
DNS-Based Persistence Hunting Procedures
The prompt provides an overview, prerequisites, and four-step process for hunting DNS-based persistence using passive DNS APIs, zone audits, and anomaly detection, with expected ou…
- External action: medium
SKILL 4 files · 2 folders
SKILL.md
--- name: hunting-for-dns-based-persistence description: "Hunt for DNS-based persistence mechanisms including DNS hijacking, dangling CNAME records, wildcard DNS abuse," --- # Hunting for DNS-based Persistence ## Overview Attackers establish DNS-based persistence by hijacking DNS records, creating unauthorized subdomains, abusing wildcard DNS entries, or modifying NS delegations to redirect traffic through attacker-controlled infrastructure. These techniques survive credential rotations, endpoint reimaging, and traditional remediation because DNS changes persist independently of compromised hosts. Detection requires passive DNS historical analysis, zone file auditing, and monitoring for unauthorized record modifications. This skill covers hunting methodologies using SecurityTrails passive DNS API, DNS audit logs from Route53/Azure DNS/Cloudflare, and zone transfer analysis. ## When to Use - When investigating security incidents that require hunting for dns based persistence - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - SecurityTrails API key (free tier provides 50 queries/month) - Access to DNS provider audit logs (Route53, Azure DNS, Cloudflare, or on-premises DNS) - Python 3.9+ with requests library - DNS zone file access or AXFR capability for internal zones - Historical DNS baseline for comparison ## Steps ### Step 1: Baseline DNS Records Export current DNS zone records and establish baseline for all authorized A, AAAA, CNAME, MX, NS, and TXT records. ### Step 2: Query Passive DNS History Use SecurityTrails API to retrieve historical DNS records and identify unauthorized changes, new subdomains, and CNAME records pointing to decommissioned services (dangling CNAMEs). ### Step 3: Detect Anomalies Compare current records against baseline to identify unauthorized modifications, wildcard records that resolve all subdomains, NS delegation changes, and MX record hijacking. ### Step 4: Investigate Findings Correlate DNS anomalies with threat intelligence feeds, check resolution targets against known malicious infrastructure, and validate record ownership. ## Expected Output JSON report listing DNS anomalies with record type, historical changes, risk severity, and remediation recommendations for each finding.
REQUIRED CONTEXT
- SecurityTrails API key
- DNS provider audit logs
- Python 3.9+ environment
- DNS zone file access or AXFR capability
- Historical DNS baseline
TOOLS REQUIRED
- api
- code_execution
EXPECTED OUTPUT
- Format
- json
- Schema
- json_schema · record type, historical changes, risk severity, remediation recommendations
- Constraints
- list DNS anomalies with record type, historical changes, risk severity, and remediation recommendations
CAVEATS
- Dependencies
- SecurityTrails API key (free tier provides 50 queries/month)
- Access to DNS provider audit logs (Route53, Azure DNS, Cloudflare, or on-premises DNS)
- Python 3.9+ with requests library
- DNS zone file access or AXFR capability for internal zones
- Historical DNS baseline for comparison
- Missing context
- Exact JSON schema or field names for the expected output report
- Error handling or rate-limit guidance for the SecurityTrails API
- Ambiguities
- Step 2 does not specify exact API endpoints, query parameters, or example calls for SecurityTrails.
- Step 3 does not define concrete criteria or thresholds for what constitutes an 'anomaly' or 'unauthorized modification'.
QUALITY
- OVERALL
- 0.72
- CLARITY
- 0.85
- SPECIFICITY
- 0.60
- REUSABILITY
- 0.70
- COMPLETENESS
- 0.75
IMPROVEMENT SUGGESTIONS
- Add a short code snippet or curl example under Step 2 showing how to query historical DNS records.
- Define the precise JSON structure (keys, types, example values) under Expected Output.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR ANALYST
- CTI Analyst for Cybersecurity Project Revisionsanalystsecurity
- Malware Sandbox Evasion Techniques Analyzeranalystsecurity
- NetFlow Pandas Traffic Baselininganalystsecurity
- Data Staging Exfiltration Threat Hunteranalystsecurity
- NetFlow Security Anomaly Analyzeranalystsecurity
- PowerShell EVTX Script Block Analyzeranalystsecurity
- Domain Fronting C2 Traffic Detectoranalystsecurity
- Heap Spray Exploitation Memory Dump Analyzeranalystsecurity
- PowerShell Empire Event Log Analyzeranalystsecurity
- Anomalous PowerShell Execution Hunting Guideanalystsecurity
- Zeek Conn.log Beaconing Pattern Detectoranalystsecurity
- API Gateway Access Log Attack Analyzeranalystsecurity
- Android APK Malware Static Analysisanalystsecurity
- Kubernetes Audit Log Security Analyzeranalystsecurity
- Cloud Storage Access Anomaly Detectoranalystsecurity
- Office 365 Audit Log Compromise Analyzeranalystsecurity
- Academic Research Brainstorm and Improvement Analyzeranalystresearch
- ML Missing Values Treatment Pipelineanalystanalysis
- Quantitative Sports Betting Edge Evaluatoranalystanalysis
- B2B Manufacturing Homepage Tech-SEO Diagnosticanalystanalysis
- OSINT US Surveillance Source Investigatoranalystresearch
- Curated Compendium of Cuckold BNWO Websitesanalystresearch
- US Indices Market News and Sentiment Reporteranalystfinance
- Technical Academic Paper Revieweranalystanalysis
- UX Landing Page Conversion Analyzeranalystanalysis