Description
Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) Adversaries may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account, taking advantage of renewal process gaps, or compromising a cloud service that enables managing domains (e.g., AWS Route53).(Citation: Krebs DNS Hijack 2019)
Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)
Adversaries who compromise a domain may also engage in domain shadowing by creating malicious subdomains under their control while keeping any existing DNS records. As service will not be disrupted, the malicious subdomains may go unnoticed for long periods of time.(Citation: Palo Alto Unit 42 Domain Shadowing 2022)
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (6)
| ID | Group | Context |
|---|---|---|
| G0059 | Magic Hound | [Magic Hound](https://attack.mitre.org/groups/G0059) has used compromised domains to host links targeted to specific phishing victims.(Citation: Clear... |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has compromised domains for some of their infrastructure, including for C2 and staging malware.(Cita... |
| G0134 | Transparent Tribe | [Transparent Tribe](https://attack.mitre.org/groups/G0134) has compromised domains for use in targeted malicious campaigns.(Citation: Proofpoint Opera... |
| G1020 | Mustard Tempest | [Mustard Tempest](https://attack.mitre.org/groups/G1020) operates a global network of compromised websites that redirect into a traffic distribution s... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has compromised legitimate sites and used them to distribute malware.(Citation: KISA Operation Muzabi... |
| G0006 | APT1 | [APT1](https://attack.mitre.org/groups/G0006) hijacked FQDNs associated with legitimate websites hosted by hop points.(Citation: Mandiant APT1) |
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S1138 | Gootloader | Malware | [Gootloader](https://attack.mitre.org/software/S1138) has used compromised legitimate domains to as a delivery network for malicious payloads.(Citatio... |
References
- Brian Krebs. (2019, February 18). A Deep Dive on the Recent Widespread DNS Hijacking Attacks. Retrieved February 14, 2022.
- ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved November 17, 2024.
- Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023.
- Microsoft. (2020, September 29). Prevent dangling DNS entries and avoid subdomain takeover. Retrieved October 12, 2020.
Frequently Asked Questions
What is T1584.001 (Domains)?
T1584.001 is a MITRE ATT&CK technique named 'Domains'. It belongs to the Resource Development tactic(s). Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the...
How can T1584.001 be detected?
Detection of T1584.001 (Domains) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1584.001?
There are 1 documented mitigations for T1584.001. Key mitigations include: Pre-compromise.
Which threat groups use T1584.001?
Known threat groups using T1584.001 include: Magic Hound, SideCopy, Transparent Tribe, Mustard Tempest, Kimsuky, APT1.