title: DNS/Passive DNS (T1596.001)
id: df00tech-t1596-001
status: experimental
description: "Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include registered name servers, records outlining addressing for subdomains, mail servers, and other hosts. Adversaries may directly query nameservers for a target organization, search centralized repositories of logged DNS query responses (passive DNS services such as CIRCL Passive DNS or SecurityTrails), or seek DNS misconfigurations and zone transfer vulnerabilities that reveal internal network structure. This reconnaissance phase generates no footprint in the victim's environment unless the adversary actively queries the organization's own authoritative DNS servers — making detection primarily possible through DNS server audit logs, high-volume query pattern analysis, and endpoint-based detection of DNS enumeration tools. Information gathered supports subsequent techniques including infrastructure acquisition, phishing campaigns, and external service exploitation."
references:
  - https://attack.mitre.org/techniques/T1596/001/
  - https://df00tech.com/detections/T1596.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1596.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized DNS zone transfers between primary and secondary nameservers (AXFR is a legitimate replication mechanism — query from known secondary NS IPs should be allowlisted)
  - "Internal DNS monitoring and auditing tools (e.g., Infoblox DDI health checks, SolarWinds IPAM, Microsoft DNS Manager) that perform bulk DNS queries for zone inventory"
  - Security posture assessments and penetration tests scheduled by the organization — these will generate exactly the patterns this rule detects
  - "Subdomain enumeration by legitimate SEO crawlers, web application security scanners (Qualys, Tenable), or cloud provider health probes querying public DNS records"
  - "DNS enumeration tools executed by the red team, threat hunting team, or security researchers during authorized exercises"
level: medium