title: DNS Server (T1584.002)
id: df00tech-t1584-002
status: experimental
description: "Adversaries may compromise third-party DNS servers to support operations. By gaining control over DNS infrastructure, adversaries can alter DNS records to redirect organizational traffic, facilitate credential harvesting, or redirect users to adversary-controlled infrastructure mimicking legitimate services. This technique is used by threat actors including Sea Turtle and LAPSUS$, who modified NS records and DNS configurations to intercept traffic at scale. Unlike acquiring new DNS infrastructure (T1583.002), this involves compromising existing, trusted DNS servers — making detection harder due to the perceived legitimacy of the infrastructure."
references:
  - https://attack.mitre.org/techniques/T1584/002/
  - https://df00tech.com/detections/T1584.002
author: df00tech
date: 2026/04/13
tags:
  - attack.t1584.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers or researchers intentionally using alternative public DNS resolvers (1.1.1.1, 9.9.9.9, 8.8.8.8) for testing — common on developer workstations if these are not in the authorized list"
  - "VPN clients that change DNS server assignments upon connecting, particularly split-tunnel configurations that use provider DNS"
  - DHCP lease renewals that legitimately update DhcpNameServer registry values as part of normal network operations
  - "Containerization platforms (Docker Desktop, WSL2) that configure their own virtual DNS resolvers pointing to non-standard IPs"
  - Mobile hotspot tethering or public WiFi usage where the DHCP-assigned DNS differs from corporate infrastructure
level: high