ATT&CK coverage › Technique

Gather Victim Network Information: DNS `T1590.002`

Adversaries may gather information about the victim's DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts. DNS MX, TXT, and SPF records may also reveal the use of third party cloud and SaaS providers, such as Office 365, G Suite, Salesforce, or Zendesk.

Events covered

1 catalog event are tagged with this technique by at least one rule.

Provider	Event ID	Title
DNS-Server-Service	6004	The DNS server received a zone transfer request from param1 for a non-existent or non-authoritative zone param2.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 1 rule

Failed DNS Zone Transfer severity medium, 1 event, 0 indicators, 0 exclusions

Gather Victim Network Information: DNS T1590.002

Events covered

Rules under this technique

Sigma 1 rule

Gather Victim Network Information: DNS `T1590.002`