DNS/Passive DNS
DNS/Passive DNS [T1596.001]
Information
Introduction
DNS/Passive DNS (T1596.001) is a sub-technique within the MITRE ATT&CK framework under the broader Reconnaissance tactic. It involves adversaries passively collecting DNS (Domain Name System) information to map out an organization's infrastructure without directly interacting with the targeted systems. Passive DNS data collection leverages third-party services, historical DNS databases, and publicly available repositories to uncover infrastructure details, identify potential targets, and plan further attack phases without alerting the target organization.
Deep Dive Into Technique
Passive DNS reconnaissance is a methodical approach used by attackers to gather intelligence about an organization's domain infrastructure without actively querying the organization's DNS servers. Attackers typically utilize third-party DNS databases, historical DNS records, and publicly available DNS data sources to conduct their reconnaissance. Key technical aspects include:
Historical DNS Records: Attackers use historical DNS databases (e.g., SecurityTrails, RiskIQ, DNSDumpster) to track changes in DNS configurations, identify previously used IP addresses, subdomains, or hosting providers.
Third-party DNS Aggregators: Services such as PassiveTotal, VirusTotal, and Farsight Security DNSDB aggregate passive DNS data from various sources, allowing attackers to query information without generating direct traffic to the target's DNS servers.
Reverse DNS Lookups: Attackers may leverage reverse DNS lookups on IP addresses to reveal associated domain names or subdomains, providing insights into the organization's infrastructure and hosting arrangements.
DNS Record Enumeration: Passive DNS data can reveal various DNS record types such as A, AAAA, MX, NS, TXT, CNAME, and SOA, enabling attackers to understand the organization's email servers, hosting providers, and third-party service integrations.
Infrastructure Mapping: By analyzing passive DNS data, attackers can construct a detailed map of an organization's network infrastructure, identifying potential entry points, vulnerable subdomains, cloud resources, and third-party dependencies.
When this Technique is Usually Used
Adversaries commonly employ passive DNS reconnaissance at the initial stages of an attack lifecycle, particularly during reconnaissance and planning phases. Typical scenarios and stages include:
Initial Reconnaissance: Attackers gather intelligence about the organization's infrastructure without triggering alerts or directly interacting with targeted systems.
Target Selection and Prioritization: Passive DNS data helps attackers identify valuable targets, vulnerable subdomains, or critical infrastructure components for further exploitation.
Infrastructure Mapping for Phishing Campaigns: Attackers use passive DNS data to identify email servers, mail gateways, and third-party email providers to craft targeted phishing campaigns.
Supply Chain Attacks: Attackers identify third-party services or vendors used by the organization, potentially targeting these external entities as a vector for compromise.
Domain Hijacking and DNS-based Attacks: Historical DNS data can identify expired or misconfigured domains, enabling attackers to execute domain takeover attacks or DNS hijacking.
How this Technique is Usually Detected
Detecting passive DNS reconnaissance can be challenging, as it typically involves no direct interaction with the target organization's infrastructure. However, detection methods, tools, and indicators of compromise (IoCs) include:
Monitoring Third-party DNS Queries: Utilize threat intelligence platforms (e.g., Recorded Future, PassiveTotal, VirusTotal) that provide visibility into passive DNS queries and identify unusual or suspicious domain lookups.
Threat Intelligence Integration: Integrate threat intelligence feeds that monitor adversary activity related to passive DNS reconnaissance and alert on suspicious domain-related queries or activities.
DNS Record Monitoring and Alerting: Regularly monitor DNS records for unauthorized changes, unexpected subdomains, or suspicious DNS entries using automated tools such as DNSRecon, DNSDumpster, or SecurityTrails.
Domain and Certificate Transparency Logs: Leverage Certificate Transparency (CT) logs to identify unauthorized or unexpected SSL/TLS certificates issued for organizational domains, potentially indicating reconnaissance or preparation for attack.
Honeypots and Canary Tokens: Deploy DNS-based honeypots or canary tokens (e.g., Canarytokens.org) to detect adversaries attempting to enumerate or interact with fake or decoy DNS entries.
Specific Indicators of Compromise (IoCs) include:
Sudden appearance of suspicious or unauthorized subdomains.
Queries from known malicious IP addresses or threat actor-controlled infrastructure.
Suspicious domain registrations or SSL certificate issuance related to organizational assets.
Unexpected DNS record changes or unauthorized DNS zone transfers.
Why it is Important to Detect This Technique
Detecting passive DNS reconnaissance early is critical due to the significant impacts it can have on an organization's security posture. Importance and potential impacts include:
Early Warning of Targeted Attacks: Early detection allows organizations to identify potential adversaries during the reconnaissance phase, providing valuable time to implement defensive measures and mitigate potential threats.
Preventing Infrastructure Mapping: Timely detection prevents attackers from successfully mapping the organization's infrastructure, reducing their ability to identify vulnerabilities or entry points.
Mitigating Phishing and Social Engineering Attacks: Detection of passive DNS reconnaissance helps organizations proactively identify and respond to targeted phishing campaigns, reducing the risk of credential theft and unauthorized access.
Reducing Risk of Domain Hijacking and DNS Attacks: Early detection and monitoring of DNS-related activities can prevent or mitigate domain takeover, DNS hijacking, and other DNS-based attacks that could severely disrupt business operations.
Protecting Intellectual Property and Sensitive Information: Detection and prevention of reconnaissance activities reduce the likelihood of attackers discovering sensitive organizational information, proprietary systems, or confidential infrastructure details.
Examples
Real-world examples demonstrating the use of DNS/Passive DNS reconnaissance include:
APT Groups Leveraging Passive DNS Data: Advanced Persistent Threat (APT) groups such as APT29 (Cozy Bear) and APT28 (Fancy Bear) have utilized passive DNS reconnaissance techniques to map target infrastructure, identify vulnerable subdomains, and plan sophisticated spear-phishing campaigns.
Supply Chain Attacks (SolarWinds Incident): During the SolarWinds supply chain compromise, threat actors leveraged passive DNS reconnaissance to identify infrastructure components, third-party services, and dependencies that facilitated the initial compromise and lateral movement.
Phishing Campaigns (FIN7 Group): The FIN7 cybercrime group extensively used passive DNS reconnaissance to identify email gateways, mail servers, and third-party email providers, enabling targeted spear-phishing attacks against financial institutions and retail organizations.
Domain Hijacking and Takeover Attacks: Attackers have used passive DNS data to identify expired or misconfigured domains belonging to organizations, subsequently taking control of these domains for phishing, malware distribution, or credential harvesting.
Cloud Infrastructure Mapping (Cloud Hopper Campaign): The Cloud Hopper campaign, attributed to APT10, involved extensive passive DNS reconnaissance to identify cloud-hosted infrastructure, enabling attackers to target managed service providers (MSPs) and subsequently compromise multiple organizations simultaneously.
Tools commonly used in these scenarios include:
SecurityTrails
VirusTotal
PassiveTotal
DNSDumpster
Farsight Security DNSDB
RiskIQ
Impacts observed in these real-world scenarios include:
Extensive data breaches and theft of sensitive information.
Financial losses due to successful phishing and fraud campaigns.
Operational disruptions caused by DNS hijacking or domain takeover.
Compromise of intellectual property and trade secrets.
Damage to organizational reputation and customer trust.
Last updated
Was this helpful?