- Tactics
- Reconnaissance
- Platforms
- PRE
- Reference
- attack.mitre.org/techniques/T1596.001
Description
Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.
Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: Search Victim-Owned Websites or Search Open Websites/Domains), establishing operational resources (ex: Acquire Infrastructure or Compromise Infrastructure), and/or initial access (ex: External Remote Services or Trusted Relationship).
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Reconnaissance tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1589 — Gather Victim Identity Information
- T1590 — Gather Victim Network Information
- T1591 — Gather Victim Org Information
- T1592 — Gather Victim Host Information
- T1593 — Search Open Websites/Domains
- T1594 — Search Victim-Owned Websites
- T1595 — Active Scanning
- T1596 — Search Open Technical Databases
- T1597 — Search Closed Sources
- T1598 — Phishing for Information
- T1681 — Search Threat Vendor Data
- T1682 — Query Public AI Services