Search Open Technical Databases: DNS/Passive DNS (T1596.001)

Tactic: Reconnaissance · Platforms: PRE

The interactive view maps 1 detection strategy, 1 mitigation to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of Search Open Technical Databases (T1596).

Overview

Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.

Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS). Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Search Victim-Owned Websites or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).

Explore