Domain Name

Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)

ID: DS0038
Platform: PRE
Collection Layer: OSINT
Version: 1.0
Created: 20 October 2021
Last Modified: 20 October 2021

Data Components

Domain Name: Active DNS

Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)

Domain Name: Active DNS

Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)

Domain ID Name Detects
Enterprise T1583 Acquire Infrastructure

Monitor for queried domain name system (DNS) registry data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor queried domain name system (DNS) registry data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

Enterprise T1584 Compromise Infrastructure

Monitor for queried domain name system (DNS) registry data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor for queried domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.002 DNS Server

Monitor for queried domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

Domain Name: Domain Registration

Information about domain name assignments and other domain metadata (ex: WHOIS)

Domain Name: Domain Registration

Information about domain name assignments and other domain metadata (ex: WHOIS)

Domain ID Name Detects
Enterprise T1583 Acquire Infrastructure

Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.[2] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

Enterprise T1584 Compromise Infrastructure

Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.

.001 Domains

Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.

Enterprise T1665 Hide Infrastructure

Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information, and in monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain.

Domain Name: Passive DNS

Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)

Domain Name: Passive DNS

Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)

Domain ID Name Detects
Enterprise T1583 Acquire Infrastructure

Monitor for logged domain name system (DNS) data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor logged domain name system (DNS) data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

Enterprise T1584 Compromise Infrastructure

Monitor for logged domain name system (DNS) data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.001 Domains

Monitor for logged domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

.002 DNS Server

Monitor for logged domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References