Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1584.002: DNS Server

Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.

By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.[1][2] Additionally, adversaries may leverage such control in conjunction with Digital Certificates to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.[2][3] Alternatively, they may be able to prove ownership of a domain to a SaaS service in order to assert control of the service or create a new administrative Cloud Account.[4] Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.[5][6]

EnterpriseT1584.002Sub-techniqueObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This technique matters because DNS is a trust and routing dependency for business services, cloud/SaaS access, certificates, and user traffic. If an adversary compromises a third-party DNS server, they may be able to alter records, redirect traffic, create shadow subdomains, support command-and-control traffic, or use DNS control to help assert ownership of SaaS services or cloud administration paths. For leaders, the key issue is not only malware detection; it is whether the organization can prove who can change DNS, how changes are approved, and how quickly unauthorized DNS changes would be noticed and reversed.

Executive priority

Treat DNS governance as a resilience and identity-control priority, especially for externally facing domains and SaaS integrations that rely on domain ownership validation. Ask whether DNS administration is inventoried, access-controlled, monitored, and included in incident response playbooks. This technique sits in Resource Development and PRE-attack activity, so the business value is early risk reduction: reducing adversary preparation opportunities before traffic redirection, credential access, collection, or cloud/SaaS takeover scenarios become operational incidents.

Technical view

ATT&CK provides no official detection text for this object, but the relationship context includes detection strategy DET0891 and mitigation M1056 Pre-compromise. SOC and detection teams should validate monitoring around DNS record changes, registrar/DNS provider administrative activity, certificate issuance or validation events tied to domains, and unexpected subdomain creation. IR teams should ensure they can rapidly compare authoritative DNS state against approved baselines, identify unauthorized name server or record changes, and coordinate restoration with DNS providers or registrars. Because the platform is PRE, coverage depends heavily on external service logs, domain administration evidence, and change-management records rather than endpoint telemetry alone.

Likely telemetry

  • Authoritative DNS zone change history and current zone records
  • DNS provider or registrar administrative audit logs
  • Account login, MFA, and privilege-change logs for DNS management portals
  • Approved DNS change tickets or configuration baselines
  • Certificate issuance, renewal, and domain-validation records associated with owned domains

Detection direction

  • Baseline authoritative DNS records for critical domains and alert on unauthorized changes to A, AAAA, CNAME, MX, NS, TXT, and domain-verification records.
  • Monitor for newly created or unusual subdomains that point to infrastructure not approved by the organization, consistent with the domain shadowing risk described in the ATT&CK references.
  • Correlate DNS changes with identity events in DNS provider, registrar, and SaaS administration systems to distinguish approved maintenance from suspicious record manipulation.
  • Review certificate transparency or certificate-management evidence for certificates issued after unexpected DNS validation changes.
  • Tune detections to reduce false positives from legitimate migrations, CDN changes, SaaS onboarding, email security changes, and planned certificate renewals by requiring change-ticket or owner confirmation.

Mitigation priorities

  • Inventory all domains, DNS providers, registrars, delegated zones, and business owners before prioritizing controls.
  • Apply pre-compromise hardening: restrict DNS administration access, require strong authentication, minimize privileged accounts, and separate approval from implementation where feasible.
  • Establish change-control baselines for critical DNS records and require documented approval for record, delegation, and domain-verification changes.
  • Continuously monitor external DNS state and certificate issuance for business-critical domains and SaaS-connected domains.
  • Include DNS provider and registrar coordination in incident response procedures so unauthorized changes can be reverted quickly.
Analyst notes and limits

This is a sub-technique of T1584 Compromise Infrastructure and is scoped to Resource Development on the PRE platform. The supplied relationships identify use by LAPSUS$ and Sea Turtle, and references describe DNS hijacking, domain shadowing, and SaaS domain hijacking patterns. These relationships support prioritizing DNS control validation, but they do not by themselves prove current activity against any specific organization.

The official ATT&CK detection field is not provided, so detection guidance is derived from the technique description, external reference themes, and the DET0891 relationship name only. Local architecture, DNS provider capabilities, SaaS integrations, and available audit logs determine what can actually be monitored or proven.

Official MITRE ATT&CK definition

DNS Server

Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.

By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization's traffic, facilitating Collection and Credential Access efforts for the adversary.[1][2] Additionally, adversaries may leverage such control in conjunction with Digital Certificates to redirect traffic to adversary-controlled infrastructure, mimicking normal trusted network communications.[2][3] Alternatively, they may be able to prove ownership of a domain to a SaaS service in order to assert control of the service or create a new administrative Cloud Account.[4] Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.[5][6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1584 Compromise Infrastructure This object subtechnique of Compromise Infrastructure.
Associated objects

Groups, software, and campaigns

Group Enterprise

G1041: Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]

Group Enterprise

G1004: LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.[1][2][3]

Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1584: Compromise Infrastructure Enterprise uses · Group G1041: Sea Turtle Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise uses · Group G1004: LAPSUS$ Enterprise detects · Detection Strategy DET0891: Detection of DNS Server Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
5d5f79cd931d0028...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle 5d5f79cd931d…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Talos DNSpionage Nov 2018

    Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.

    Open source URL
  2. [2]
    FireEye DNS Hijack 2019

    Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020.

    Open source URL
  3. [3]
    Crowdstrike DNS Hijack 2019

    Matt Dahl. (2019, January 25). Widespread DNS Hijacking Activity Targets Multiple Sectors. Retrieved February 14, 2022.

    Open source URL
  4. [4]
    CyberCX SaaS Domain Hijacking 2025

    Tony Mau. (2025, May 29). Keys to the (SaaS) kingdom. Retrieved May 30, 2025.

    Open source URL
  5. [5]
    CiscoAngler

    Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.

    Open source URL
  6. [6]
    Proofpoint Domain Shadowing

    Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved October 16, 2020.

    Open source URL
  7. [7]
    mitre-attack T1584.002
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use