{ "type": "bundle", "id": "bundle--fa5d9deb-b861-424b-a7b6-4c15f07ea7fe", "spec_version": "2.0", "objects": [ { "modified": "2022-10-21T14:32:48.393Z", "name": "DNS", "description": "Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target\u2019s subdomains, mail servers, and other hosts. DNS, MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.(Citation: Sean Metcalf Twitter DNS Records)\n\nAdversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "reconnaissance" } ], "x_mitre_detection": "Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders.\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access.", "x_mitre_platforms": [ "PRE" ], "x_mitre_is_subtechnique": true, "x_mitre_deprecated": false, "x_mitre_domains": [ "enterprise-attack" ], "x_mitre_version": "1.1", "x_mitre_contributors": [ "Jannie Li, Microsoft Threat Intelligence\u202fCenter\u202f(MSTIC)" ], "type": "attack-pattern", "id": "attack-pattern--0ff59227-8aa8-4c09-bf1f-925605bd07ea", "created": "2020-10-02T15:47:10.102Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [ { "source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1590/002", "external_id": "T1590.002" }, { "source_name": "Circl Passive DNS", "description": "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020.", "url": "https://www.circl.lu/services/passive-dns/" }, { "source_name": "DNS Dumpster", "description": "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020.", "url": "https://dnsdumpster.com/" }, { "source_name": "Sean Metcalf Twitter DNS Records", "description": "Sean Metcalf. (2019, May 9). Sean Metcalf Twitter. Retrieved May 27, 2022.", "url": "https://twitter.com/PyroTek3/status/1126487227712921600/photo/1" } ], "object_marking_refs": [ "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168" ], "x_mitre_attack_spec_version": "2.1.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5" } ] }