Captive DNS Query Actions are processed to test internal DNS capabilities. With Captive DNS Query Actions, you define the expected response and when you run the Action, the traffic goes from Actor to Actor instead of Actor to DNS. You use this type of Action to determine if there are controls in place to detect if someone attempts a DNS record change.
To Create a Captive DNS Query Action
- Select Library > Actions.
- Click Add Action and select Captive DNS Query.
- Enter the Query.
- Select the Query type. Options include: A, AAA, CNAME, MX, NULL, NS, PTR, SOA, SRV, TXT.
- Enter the (expected) Response.
- Enter the Name.
- Enter the Description.
- Select the Attacker Vector. This will be Protocols / DNS.
- Select the Attacker Location. This will vary.
- Select the Behavior Type. Unless you determine otherwise, Malicious DNS Query is generally the closet option.
- Select the Covert behavior. This is generally set to No.
- Select the OS/Platform. This will vary.
- Select the Stage of Attack. This is generally set to Command and Control.
- (Optional) Assign User Tags.
Click Save Captive DNS Query.
The Action Library displays. A confirmation message that your Action was created successfully is shown and the Action is selected and displayed in the Action preview.
Captive DNS Query Action form
