Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0891: Detection of DNS Server

DET0891 is a MITRE detection strategy record for detecting activity related to adversary use or compromise of DNS servers as a resource-development techniq...

EnterpriseDET0891Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0891 is a MITRE detection strategy record for detecting activity related to adversary use or compromise of DNS servers as a resource-development technique. The business significance is that DNS infrastructure can become part of an adversary’s operational setup before an intrusion is visible inside the victim environment. Because the ATT&CK object provides no official detection logic, platforms, or description, leaders should treat this as a coverage-planning prompt rather than a ready-made analytic.

Executive priority

Prioritize this as a resilience and assurance question: do security, infrastructure, and incident response teams have enough visibility into DNS ownership, DNS changes, and suspicious DNS infrastructure relationships to notice when DNS servers are being abused or compromised in support of operations? This matters for incident scoping, third-party risk, audit evidence around critical infrastructure controls, and readiness for investigations where adversary infrastructure may sit outside endpoint or cloud telemetry.

Technical view

The only supported relationship is that DET0891 detects T1584.002, DNS Server, under resource development with platform PRE. SOC and detection engineering teams should validate whether they can observe DNS-server-related evidence before or outside a conventional endpoint compromise. Focus on evidence of DNS record alteration, DNS server compromise indicators, and DNS traffic patterns that may support later command-and-control activity, while recognizing that the ATT&CK record does not provide a specific analytic, data source, or platform mapping.

Likely telemetry

  • Authoritative DNS server logs and configuration/change history
  • DNS zone file and DNS record change records
  • Registrar or DNS hosting provider audit logs where available
  • Network DNS traffic logs or resolver logs relevant to monitored infrastructure
  • Threat intelligence or infrastructure enrichment linking domains, name servers, and DNS changes

Detection direction

  • Confirm whether DNS server and DNS record changes are logged, retained, and attributable to an identity or administrative action.
  • Build or tune detections around unexpected DNS record changes, unusual name server relationships, or DNS infrastructure changes tied to protected domains or monitored third parties.
  • Correlate DNS infrastructure changes with other investigation context rather than treating every DNS change as malicious; legitimate migrations, provider changes, and operational maintenance are common false-positive drivers.
  • Account for the main blind spot: this is a PRE/resource-development behavior, so evidence may exist outside endpoint, EDR, or internal SIEM visibility unless DNS provider, registrar, or external intelligence data is integrated.
  • Use the relationship to T1584.002 to connect DNS infrastructure observations with later activity involving DNS traffic, including potential application-layer protocol usage, without assuming command-and-control is present from this object alone.

Mitigation priorities

  • Establish ownership and change-control processes for authoritative DNS infrastructure and critical records.
  • Ensure DNS hosting, registrar, and administrative access logs are available for security review and incident response.
  • Harden administrative access to DNS management functions using least privilege and strong authentication where supported by the environment.
  • Include DNS infrastructure review in incident response playbooks, third-party risk reviews, and business continuity planning.
  • Maintain an inventory of expected DNS servers, providers, domains, and record patterns so investigations can distinguish authorized changes from suspicious ones.
Analyst notes and limits

This Glexia take is intentionally conservative because the supplied ATT&CK detection strategy has no official description, detection text, platforms, tactics, aliases, or labels. The useful context comes from its relationship to T1584.002, DNS Server, which describes adversaries compromising third-party DNS servers during resource development and altering DNS records, with possible later use of DNS traffic for tasks such as command and control.

No ATT&CK-provided analytic logic, data components, platform scope, or detection procedure was supplied for DET0891. Local DNS architecture, provider logging, registrar visibility, and third-party intelligence access will determine whether practical detection is possible.

Official MITRE ATT&CK definition

Detection of DNS Server

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1584.002 DNS Server Sub-technique This object detects DNS Server.
Relationship explorer

All related ATT&CK context

detects · Technique T1584.002: DNS Server Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
d9d30aa22f550773...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle d9d30aa22f55…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0891
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use