Skip to main content

Overview

The DNSCache command enumerates DNS resolver cache entries, revealing recently resolved hostnames and IP addresses. This provides insight into recent network activity and can identify interesting targets for lateral movement or data exfiltration destinations.

Syntax

Seatbelt.exe DNSCache

Remote Execution

Seatbelt.exe DNSCache -computername=TARGET.domain.com [-username=DOMAIN\user -password=pass]

Output

Returns DNS cache entries including:
  • Hostname/FQDN
  • IP address(es)
  • Record type (A, AAAA, CNAME, etc.)
  • Time to live (TTL)
  • Data length

Use Cases

  • Red Team
  • Blue Team
  • Discover internal infrastructure
  • Identify recently accessed systems
  • Find file servers, databases, web servers
  • Map network topology
  • Locate data exfiltration targets
  • Discover domain controllers

Example Output

====== DNSCache ======

Entry              : dc01.corp.local
Data               : 10.0.0.10
Type               : A

Entry              : fileserver.corp.local
Data               : 10.0.0.50
Type               : A

Entry              : mail.google.com
Data               : 142.250.80.101
Type               : A

Entry              : suspicious-c2.com
Data               : 185.220.101.50
Type               : A

Remote Execution

This command supports remote execution using the -computername parameter.

Detection Considerations

May generate WMI activity logs during remote execution.