1. Home
  2. ATT&CK Techniques
  3. T1583
  4. T1583.002
Resource Development

T1583.002: DNS Server

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including f...

T1583.002 · Sub-technique ·1 platforms ·3 groups

Description

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic (DNS). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)

Platforms

PRE

Mitigations (1)

Pre-compromiseM1056

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Threat Groups (3)

IDGroupContext
G1041Sea Turtle[Sea Turtle](https://attack.mitre.org/groups/G1041) built adversary-in-the-middle DNS servers to impersonate legitimate services that were later used ...
G0001Axiom[Axiom](https://attack.mitre.org/groups/G0001) has acquired dynamic DNS services for use in the targeting of intended victims.(Citation: Novetta-Axiom...
G1001HEXANE[HEXANE](https://attack.mitre.org/groups/G1001) has set up custom DNS servers to send commands to compromised hosts via TXT records.(Citation: Zscaler...

References

Frequently Asked Questions

What is T1583.002 (DNS Server)?

T1583.002 is a MITRE ATT&CK technique named 'DNS Server'. It belongs to the Resource Development tactic(s). Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including f...

How can T1583.002 be detected?

Detection of T1583.002 (DNS Server) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1583.002?

There are 1 documented mitigations for T1583.002. Key mitigations include: Pre-compromise.

Which threat groups use T1583.002?

Known threat groups using T1583.002 include: Sea Turtle, Axiom, HEXANE.