Domains
Domains [T1583.001]
Information
Introduction
The MITRE ATT&CK sub-technique "Domains [T1583.001]" falls under the broader technique "Acquire Infrastructure," categorized within the Resource Development tactic. This sub-technique specifically refers to adversaries' methods of obtaining domain names to support malicious operations. Domains are critical components in cyber-attacks, enabling attackers to host malware, establish command and control (C2) servers, facilitate phishing campaigns, and conduct other malicious activities. Understanding how adversaries acquire and leverage domain infrastructure helps organizations proactively identify and mitigate potential threats.
Deep Dive Into Technique
Adversaries leverage domain registration services to acquire domains that are subsequently used in cyber operations. Domains provide attackers with a legitimate-looking infrastructure, essential for evading detection and maintaining operational security (OPSEC). Attackers typically follow these processes:
Domain Registration:
Attackers register new domains through legitimate domain registrars, often using stolen or fraudulent payment methods.
Registrations may involve privacy protection services to mask registrant details, thus complicating attribution efforts.
Domain Hijacking:
Attackers may compromise existing legitimate domains by exploiting vulnerabilities in domain registrar accounts or DNS provider security.
Hijacked domains offer attackers a trusted reputation, making detection and blocking more difficult.
Domain Squatting and Typosquatting:
Attackers register domains closely resembling legitimate brands or organizations to deceive users into visiting malicious sites.
Typosquatting domains exploit common typographical errors users make when entering URLs.
Expired Domain Acquisition:
Attackers monitor and acquire expired domains previously associated with legitimate organizations.
These domains may still retain residual trust, reputation, or backlinks, potentially evading detection mechanisms.
Domain Generation Algorithms (DGAs):
Attackers utilize automated algorithms to generate large numbers of pseudo-random domain names, complicating detection and blocking efforts.
Once acquired, adversaries typically configure DNS records to point to malicious infrastructure (e.g., C2 servers, phishing pages, malware distribution points), leveraging DNS propagation to rapidly scale and maintain operations.
When this Technique is Usually Used
The acquisition and use of domains typically occur early in the cyber-attack lifecycle, particularly during the resource development and initial access stages. Common attack scenarios include:
Phishing Campaigns:
Attackers acquire domains resembling legitimate organizations or services to host phishing pages designed to harvest credentials or sensitive information.
Malware Distribution:
Domains are acquired to host exploit kits, malware payloads, or malicious scripts, facilitating initial compromise of victim systems.
Command and Control Infrastructure:
Domains serve as C2 endpoints for malware-infected hosts, enabling attackers to remotely control compromised systems and exfiltrate data.
Watering Hole Attacks:
Attackers compromise or register domains frequently visited by targeted user groups, increasing the likelihood of successful exploitation.
Credential Harvesting and Fraud:
Domains mimicking financial institutions, e-commerce platforms, or government services are used to deceive users into submitting sensitive personal and financial information.
How this Technique is Usually Detected
Organizations can employ various detection methods and tools to identify malicious domain acquisition and usage:
Domain Registration Monitoring:
Monitor newly registered domain feeds and WHOIS data to identify suspicious registrations, especially those employing privacy protection or anomalous registrant details.
DNS Traffic Analysis:
Monitor DNS requests and responses within network environments to detect unusual domain lookups, high-frequency domain requests, or known malicious domains.
Detect domain generation algorithms (DGAs) through statistical analysis and machine learning techniques that identify anomalous domain naming patterns.
Threat Intelligence Feeds:
Leverage external threat intelligence sources that provide regularly updated lists of malicious or suspicious domains associated with known threat actors.
SSL/TLS Certificate Monitoring:
Monitor certificate transparency logs for newly issued certificates associated with suspicious or typosquatting domains.
Email Gateway and Web Proxy Logs:
Analyze email gateway and web proxy logs for suspicious domains embedded in URLs, particularly those linked to phishing or malware distribution campaigns.
Indicators of Compromise (IoCs) related to malicious domain acquisition include:
Suspicious WHOIS registration data (e.g., recently created domains, privacy-protected registrants).
Domains closely resembling legitimate organizations or popular brands (typosquatting).
Domains exhibiting patterns typical of automated generation (DGA-generated domains).
Domains associated with known malicious IP addresses or hosting providers.
SSL certificates issued to suspicious or newly registered domains.
Why it is Important to Detect This Technique
Early detection of adversaries acquiring and leveraging malicious domains is critical due to several significant impacts:
Prevention of Initial Compromise:
Identifying and blocking malicious domains early prevents users from accessing phishing pages or malicious payloads, reducing the risk of initial compromise.
Minimizing Data Exfiltration and Damage:
Early detection and blocking of malicious C2 domains disrupt adversary communication channels, limiting data exfiltration and lateral movement.
Reducing Operational Costs:
Timely detection and response reduce the overall cost and effort associated with incident response, remediation, and damage control.
Maintaining Organizational Reputation:
Preventing domain-based attacks safeguards an organization's reputation by protecting users, customers, and partners from fraud and compromise.
Improving Threat Intelligence and Response Capabilities:
Understanding adversary domain acquisition tactics enhances organizational threat intelligence, enabling proactive defense measures and improved cybersecurity posture.
Examples
Real-world examples demonstrating adversaries leveraging domain acquisition include:
APT29 (Cozy Bear):
Utilized domains mimicking legitimate cloud services and email providers to conduct spear-phishing campaigns targeting government and private sector entities.
Domains facilitated credential harvesting, malware delivery, and C2 communications.
FIN7 (Carbanak Group):
Registered domains closely resembling legitimate financial institutions and retail companies to distribute malware and conduct phishing attacks against financial and hospitality industries.
Leveraged privacy protection services and fraudulent registrant details to evade detection.
Emotet Malware Campaigns:
Emotet operators frequently registered large numbers of domains to host malware payloads and C2 infrastructure, employing domain generation algorithms (DGAs) to evade detection and blocking efforts.
Magecart Attacks:
Attackers acquired domains resembling legitimate analytics services and third-party scripts, injecting malicious JavaScript to skim payment card data from compromised e-commerce websites.
SolarWinds Supply Chain Attack:
Attackers registered domains mimicking legitimate SolarWinds update servers and infrastructure, facilitating malware distribution and command-and-control communication during the sophisticated supply chain compromise.
In each scenario, attackers strategically acquired and leveraged domains to conduct malicious operations, highlighting the importance of proactive monitoring, detection, and response to mitigate risks and safeguard organizational security.
Last updated
Was this helpful?