DET0877: Detection of DNS/Passive DNS
DET0877 is a detection strategy for activity related to adversaries researching an organization’s DNS and passive DNS data during reconnaissance. The busin...
Analyst context for executives and security teams
DET0877 is a detection strategy for activity related to adversaries researching an organization’s DNS and passive DNS data during reconnaissance. The business significance is that DNS records can expose internet-facing systems, mail infrastructure, subdomains, and naming patterns that help an adversary plan targeting before any intrusion occurs. For leaders, this is less about proving compromise and more about understanding whether the organization can see and govern the information it exposes externally.
Executive priority
Treat this as an external exposure and readiness question: do security, infrastructure, and risk teams know what DNS information is publicly visible, who owns it, and whether monitoring can reveal unusual reconnaissance interest? Because the related ATT&CK technique is reconnaissance on the PRE platform, value comes from early warning, attack surface management, and evidence that DNS governance supports incident response, audit, and resilience planning.
Technical view
The supplied ATT&CK object has no official detection text, platforms, or tactics of its own, but it detects T1596.001 DNS/Passive DNS, a reconnaissance technique. SOC and detection teams should validate whether they have visibility into authoritative DNS queries, DNS changes, public DNS records, and passive DNS intelligence where available. IR teams should use this context to enrich investigations: suspicious interest in specific subdomains, mail records, name servers, or newly exposed hosts may indicate targeting preparation rather than post-compromise activity.
Likely telemetry
- Authoritative DNS query logs, if collected
- DNS zone files and record-change history
- Passive DNS intelligence or historical DNS resolution data
- Registrar and DNS provider administrative logs
- External attack surface inventory for subdomains, mail servers, name servers, and host records
Detection direction
- Confirm what DNS telemetry is actually collected and retained; many organizations lack authoritative DNS query visibility or passive DNS access.
- Baseline normal public DNS interest where possible, because DNS lookups alone are common and can generate false positives.
- Prioritize changes or queries involving sensitive, newly created, rarely used, or business-critical subdomains and mail infrastructure.
- Correlate DNS reconnaissance indicators with other pre-intrusion signals, such as external scanning or suspicious interest in internet-facing assets, rather than treating isolated DNS lookups as proof of compromise.
- Use relationship context carefully: this strategy maps to reconnaissance, so detections should support early warning and investigation triage, not definitive intrusion conclusions.
Mitigation priorities
- Maintain accurate ownership and review processes for public DNS records.
- Reduce unnecessary DNS exposure, including stale subdomains and records for retired infrastructure.
- Ensure DNS administration is logged and access-controlled through existing identity and change-management processes.
- Use external attack surface review to compare intended versus publicly visible DNS information.
- Define IR playbooks for handling suspected reconnaissance, including escalation criteria and evidence preservation.
Analyst notes and limits
MITRE provides this as a detection strategy object, but the supplied fields include no official description or detection logic. The only substantive context is the relationship to T1596.001 DNS/Passive DNS under reconnaissance for the PRE platform. Glexia should position this as a visibility and exposure-management control area rather than a standalone indicator of compromise.
This take is constrained to the supplied ATT&CK fields and relationship context. It does not establish active exploitation, attribution, affected vendors, guaranteed detection, or specific platform coverage. Local DNS architecture, logging retention, passive DNS access, and asset ownership data are required to determine practical coverage.
Detection of DNS/Passive DNS
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1596.001 | DNS/Passive DNS Sub-technique | This object detects DNS/Passive DNS. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5ce78a653a4e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0877Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.