Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)
Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)
Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1583 | Acquire Infrastructure |
Monitor for queried domain name system (DNS) registry data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
|
.001 | Domains |
Monitor queried domain name system (DNS) registry data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control. |
||
Enterprise | T1584 | Compromise Infrastructure |
Monitor for queried domain name system (DNS) registry data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
|
.001 | Domains |
Monitor for queried domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
||
.002 | DNS Server |
Monitor for queried domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
Information about domain name assignments and other domain metadata (ex: WHOIS)
Information about domain name assignments and other domain metadata (ex: WHOIS)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1583 | Acquire Infrastructure |
Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
|
.001 | Domains |
Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.[2] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control. |
||
Enterprise | T1584 | Compromise Infrastructure |
Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. |
|
.001 | Domains |
Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. |
||
Enterprise | T1665 | Hide Infrastructure |
Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information, and in monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. |
Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)
Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)
Domain | ID | Name | Detects | |
---|---|---|---|---|
Enterprise | T1583 | Acquire Infrastructure |
Monitor for logged domain name system (DNS) data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
|
.001 | Domains |
Monitor logged domain name system (DNS) data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control. |
||
Enterprise | T1584 | Compromise Infrastructure |
Monitor for logged domain name system (DNS) data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
|
.001 | Domains |
Monitor for logged domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
||
.002 | DNS Server |
Monitor for logged domain name system (DNS) registry data that may compromise third-party DNS servers that can be used during targeting. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |