Domain Properties (T1590.001)

Information

• Name: Domain Properties

• ID: T1590.001

• Tactics:

• Technique:

Introduction

Domain Properties (T1590.001) is a sub-technique within the MITRE ATT&CK framework under the broader technique "Gather Victim Network Information (T1590)." This sub-technique specifically involves adversaries gathering information related to domain properties, such as domain names, registration details, hosting configurations, DNS records, and associated metadata. Attackers typically perform these reconnaissance activities to identify vulnerabilities, map victim infrastructures, and facilitate further stages of intrusion.

Deep Dive Into Technique

Adversaries executing Domain Properties reconnaissance typically leverage open-source intelligence (OSINT) tools, DNS enumeration utilities, and publicly available databases to gather domain-related information. The gathered data often includes:

• Domain registration details (WHOIS records):

  • Registrant name, email, phone number, and address

  • Domain registrar and registration date

  • Expiration date and renewal history

• DNS records:

  • A records (IPv4 addresses)

  • AAAA records (IPv6 addresses)

  • MX records (mail exchange servers)

  • NS records (authoritative name servers)

  • TXT records (SPF, DKIM, DMARC policies)

  • CNAME records (canonical names and aliases)

• Hosting details:

  • Hosting provider information

  • IP address ranges and autonomous system numbers (ASNs)

  • Geographic hosting locations

• SSL/TLS certificate information:

  • Certificate issuer and validity

  • Subject Alternative Names (SANs) and Common Names (CNs)

  • Expiration dates and certificate transparency logs

Common tools and methods attackers use include:

• Command-line utilities:

  • dig, nslookup, host for DNS queries

  • whois for domain registration information

• OSINT frameworks and online services:

  • Shodan, Censys, SecurityTrails, VirusTotal

  • Certificate transparency databases (e.g., crt.sh)

  • Domain enumeration and subdomain discovery tools (e.g., Sublist3r, Amass, DNSRecon)

By systematically collecting this information, attackers can map organizational assets, identify vulnerable infrastructure, and plan subsequent attack phases with greater precision.

When this Technique is Usually Used

This sub-technique commonly appears during the following attack scenarios and stages:

• Initial Reconnaissance:

  • Early stages of targeting, when adversaries gather intelligence to identify potential entry points, weaknesses, and high-value targets.

• Pre-attack Planning:

  • Mapping victim infrastructure to design targeted phishing campaigns, watering hole attacks, or DNS hijacking scenarios.

• Infrastructure Discovery:

  • Enumerating domains and subdomains to identify hidden or less-secured assets, such as development or staging environments.

• Credential Harvesting Preparation:

  • Identifying email servers (MX records) and DNS security policies (SPF, DKIM, DMARC) to craft convincing phishing emails or bypass email security measures.

• Persistence and Evasion:

  • Analyzing DNS and hosting details to perform domain hijacking, DNS spoofing, or infrastructure manipulation to maintain persistence or evade detection.

How this Technique is Usually Detected

Detection of Domain Properties reconnaissance relies on monitoring, analyzing, and correlating various indicators and behaviors, including:

• Monitoring DNS query logs:

  • Unusual or high-volume DNS queries targeting multiple subdomains, particularly from external or unexpected sources.

  • Queries for non-existent or rarely queried subdomains, indicating enumeration activities.

• WHOIS monitoring:

  • Alerts triggered by automated or bulk WHOIS lookups against organizational domains.

• Analysis of web server logs:

  • Identification of scanning or crawling behaviors targeting domain-specific resources.

• Network traffic analysis:

  • Detecting reconnaissance tools signatures (e.g., DNSRecon, Amass) in traffic patterns.

  • Unusual volumes of traffic originating from known reconnaissance IP addresses or scanners.

• Threat intelligence integration:

  • Correlating collected data with known malicious IP addresses, domains, or attacker infrastructure.

• SSL/TLS certificate monitoring:

  • Detecting unauthorized or unexpected certificate issuance via certificate transparency logs.

Specific Indicators of Compromise (IoCs) may include:

• High-frequency DNS queries from specific IP addresses.

• DNS zone transfer attempts (AXFR queries).

• Repeated WHOIS lookups originating from suspicious sources.

• Unexpected or unauthorized SSL/TLS certificates issued for organizational domains.

Why it is Important to Detect This Technique

Early detection of Domain Properties reconnaissance is crucial due to the following potential impacts and risks:

• Facilitates Targeted Attacks:

  • Attackers use domain information to craft highly targeted phishing emails, spear-phishing campaigns, or watering hole attacks.

• Infrastructure Compromise:

  • Identifying domain registration or DNS vulnerabilities may lead attackers to perform domain hijacking, DNS spoofing, or infrastructure manipulation.

• Exposure of Sensitive Information:

  • Domain enumeration may expose sensitive or confidential subdomains, internal infrastructure details, or staging environments not intended for public access.

• Increased Attack Surface:

  • Adversaries discovering hidden or less-secured assets can exploit them to gain initial footholds, escalate privileges, or establish persistence.

• Operational Disruption:

  • Domain hijacking or DNS manipulation can disrupt legitimate operations, causing downtime, loss of trust, or reputational harm.

Early detection and response mitigate these risks by allowing security teams to proactively address exposed infrastructure, harden DNS and domain registration configurations, and block potential threats before attackers progress further into their campaigns.

Examples

Real-world examples of Domain Properties reconnaissance include:

• APT Groups (e.g., APT28, APT29):

  • Known to extensively use OSINT and DNS enumeration tools to identify victim infrastructure, map email servers, and gather domain registration details to facilitate targeted phishing campaigns and infrastructure compromise.

• Magecart Attacks:

  • Attackers enumerated domains and subdomains to identify vulnerable web applications and e-commerce platforms, subsequently injecting malicious scripts into compromised domains to harvest payment card data.

• DNS Hijacking Campaigns:

  • Attackers leveraged WHOIS and DNS enumeration to identify poorly secured domain registrar accounts, enabling them to redirect DNS records, intercept sensitive communications, and steal credentials.

• Operation Sea Turtle:

  • A large-scale DNS hijacking campaign where attackers targeted domain registrars and DNS providers, gathering detailed domain properties and DNS information to redirect victim domains to attacker-controlled infrastructure, intercepting credentials and sensitive data.

Tools commonly observed in real-world attacks:

• Amass:

  • Automated OSINT reconnaissance tool for domain enumeration and infrastructure mapping.

• DNSRecon:

  • Tool used for DNS enumeration, zone transfers, and subdomain discovery.

• Sublist3r:

  • Python-based tool for enumerating subdomains using search engines, certificate transparency logs, and DNS queries.

• SecurityTrails and Shodan:

  • OSINT platforms frequently leveraged by attackers to gather comprehensive domain and hosting information.

Impacts observed in real-world scenarios:

• Credential theft and unauthorized access to sensitive systems.

• Infrastructure compromise, leading to persistent footholds and lateral movement.

• Significant downtime and operational disruption due to DNS hijacking or redirection.

• Financial losses and reputational damage from successful phishing campaigns or data breaches enabled by domain reconnaissance.