T1596.001: DNS/Passive DNS
Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS). Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Search Victim-Owned Websites or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).
Positive Technologies products that cover the technique
MaxPatrol SIEM knowledge base
mitre_attck_discovery: PT-CR-2549: DNS_Enumeration: Attempt to obtain information about the infrastructure by sending many unique requests to DNS servers. From the server responses, attackers can learn about the existing hosts and their addresses and use this information to further compromise the system.
Mitigation
| ID | M1056 | Name | Pre-compromise | Description | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties. |
|---|