Description
Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)
Adversaries may gather this information in various ways, such as querying or otherwise collecting details via DNS/Passive DNS. DNS information may also be exposed to adversaries via online or other accessible data sets (ex: Search Open Technical Databases).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: Search Open Technical Databases, Search Open Websites/Domains, or Active Scanning), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services).
Adversaries may also use DNS zone transfer (DNS query type AXFR) to collect all records from a misconfigured DNS server.(Citation: Trails-DNS)(Citation: DNS-CISA)(Citation: Alexa-dns)
Platforms
Mitigations (1)
Software ConfigurationM1054
Consider implementing policies for DNS servers, such as Zone Transfer Policies, that enforce a list of validated servers permitted for zone transfers.(Citation: DNS-msft)
References
- CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.
- CISA. (2016, September 29). DNS Zone Transfer AXFR Requests May Leak Domain Information. Retrieved June 5, 2024.
- Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.
- Scanning Alexa's Top 1M for AXFR. (2015, March 29). Retrieved June 5, 2024.
- Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved September 12, 2024.
- SecurityTrails. (2018, March 14). Wrong Bind Configuration Exposes the Complete List of Russian TLD's to the Internet. Retrieved June 5, 2024.
Frequently Asked Questions
What is T1590.002 (DNS)?
T1590.002 is a MITRE ATT&CK technique named 'DNS'. It belongs to the Reconnaissance tactic(s). Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that...
How can T1590.002 be detected?
Detection of T1590.002 (DNS) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1590.002?
There are 1 documented mitigations for T1590.002. Key mitigations include: Software Configuration.
Which threat groups use T1590.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.