T1590.002: DNS
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.
Adversaries may gather this information in various ways, such as querying or otherwise collecting details via DNS/Passive DNS. DNS information may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Active Scanning), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_discovery: PT-CR-2549: DNS_Enumeration: Attempt to obtain information about the infrastructure by sending many unique requests to DNS servers. From the server responses, attackers can learn about the existing hosts and their addresses and use this information to further compromise the system. dnsmasq: PT-CR-2229: Dnsmasq_DNS_Zone_Transfer: Attempt to transfer a DNS zone to a host that is not in the List_Servers or AssetGrid_Servers list. This can lead to the disclosure of the internal structure of the network. bind: PT-CR-2197: BIND_DNS_Zone_Transfer_To_Untrusted_Host: AXFR request to transfer a zone to an untrusted host. With this request, an attacker can disclose the internal structure of the network.
Mitigation
ID | M1056 | Name | Pre-compromise | Description | This cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
---|