Skip to content

T1583.002 DNS Server

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic (DNS). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.1

Item Value
ID T1583.002
Sub-techniques T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006, T1583.007, T1583.008
Tactics TA0042
Platforms PRE
Version 1.0
Created 01 October 2020
Last Modified 15 April 2021

Procedure Examples

ID Name Description
G0001 Axiom Axiom has acquired dynamic DNS services for use in the targeting of intended victims.3
G1001 HEXANE HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.2


ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.