WHOIS (T1596.002)

Information

• Name: WHOIS

• ID: T1596.002

• Tactics:

• Technique:

Introduction

WHOIS () is a sub-technique within MITRE ATT&CK's Reconnaissance tactic. It involves adversaries gathering publicly available information about domain registrations and IP addresses from WHOIS databases. WHOIS databases contain detailed registration information such as registrant names, addresses, phone numbers, email addresses, domain registration dates, expiration dates, and associated DNS servers. Attackers leverage this information to identify potential targets, map organizational structures, or conduct further reconnaissance and preparation for more sophisticated attacks.

Deep Dive Into Technique

WHOIS lookup queries are publicly available services provided by various registrars and registries. They allow users to query domain names or IP addresses to obtain registration details. Attackers typically perform WHOIS queries using:

• Command-line utilities:

  • whois command on Linux or Unix-based systems

  • Windows command-line utilities or PowerShell scripts

• Online WHOIS lookup services:

  • Websites such as whois.net, ICANN's WHOIS portal, DomainTools, and others

• Automated scripts and tools:

  • Custom Python scripts utilizing WHOIS libraries

  • Reconnaissance frameworks such as Recon-ng, SpiderFoot, and Maltego

Typical information gathered via WHOIS includes:

• Registrant contact details (name, address, phone, email)

• Registrar information

• Domain registration and expiration dates

• Name servers associated with the domain

• Administrative and technical contact information

Attackers utilize WHOIS information to:

• Map out organizational infrastructure and identify associated domains

• Identify potential points of contact for social engineering attacks

• Correlate domain ownership and hosting providers for further reconnaissance

• Conduct infrastructure enumeration for subsequent exploitation or phishing campaigns

When this Technique is Usually Used

WHOIS queries are primarily employed during the reconnaissance phase of an attack, often at the earliest stages of the cyber kill chain. Typical scenarios include:

• Initial information gathering and footprinting of targeted organizations

• Preparation for spear-phishing campaigns by identifying legitimate email addresses and contact details

• Mapping infrastructure relationships and identifying third-party hosting or service providers

• Identifying expired or soon-to-expire domains for potential domain hijacking scenarios

• Conducting competitive intelligence or espionage by mapping competitor domains and infrastructure

• Planning DNS hijacking or spoofing attacks by identifying authoritative name servers and registrars

How this Technique is Usually Detected

Detection of WHOIS reconnaissance can be challenging, as WHOIS queries are legitimate and publicly available. However, organizations can implement several detection strategies and tools, including:

• Monitoring and analyzing DNS logs and firewall logs for unusual or repeated WHOIS queries originating from suspicious external IP addresses

• Using Security Information and Event Management (SIEM) platforms to correlate WHOIS lookups with other suspicious reconnaissance activities

• Implementing threat intelligence platforms (TIPs) that track and alert on WHOIS queries performed on organizational domains

• Employing honeypots or deception technology to detect adversaries performing WHOIS lookups as part of broader reconnaissance campaigns

• Monitoring third-party WHOIS lookup services and databases for unusual or unauthorized queries involving organizational assets

Specific Indicators of Compromise (IoCs) related to WHOIS reconnaissance include:

• Repeated WHOIS queries originating from known malicious IP addresses or suspicious geographic locations

• Automated WHOIS lookups performed at scale against multiple organizational domains within short intervals

• WHOIS queries combined with other reconnaissance activities such as DNS enumeration, port scanning, or vulnerability scanning

Why it is Important to Detect This Technique

Early detection of WHOIS reconnaissance is critical due to the following potential impacts on organizations:

• Enables attackers to gather detailed organizational information, potentially leading to targeted phishing or spear-phishing attacks

• Facilitates mapping of organizational infrastructure, increasing the likelihood of successful exploitation or lateral movement

• Provides attackers with valuable contact details, increasing the risk of social engineering attacks against employees or partners

• Assists attackers in identifying vulnerable or expired domains, potentially leading to domain hijacking or brand impersonation

• Helps adversaries identify third-party relationships and dependencies, increasing the attack surface and potential supply-chain risks

Early detection allows organizations to:

• Proactively strengthen defenses and security posture before attackers leverage reconnaissance information

• Alert security teams to potential impending attacks, enabling quicker response and mitigation

• Reduce the risk of successful phishing, social engineering, or other targeted attacks by increasing employee awareness and vigilance

• Minimize reputational damage and financial loss associated with successful exploitation or fraud

Examples

Real-world examples of WHOIS reconnaissance include:

• APT33 (Elfin):

  • Iranian threat actor known to perform WHOIS lookups to gather intelligence on targeted organizations, especially in the aerospace and energy sectors.

  • Utilized WHOIS data to identify legitimate email addresses and contacts for spear-phishing campaigns.

• APT41:

  • Chinese cyber espionage group that leveraged WHOIS reconnaissance to map out infrastructure and identify vulnerable third-party service providers.

  • Conducted targeted attacks against gaming, technology, and telecommunications organizations after performing detailed WHOIS enumeration.

• FIN7:

  • Financially motivated threat group known to conduct extensive WHOIS reconnaissance to identify potential phishing targets within retail, hospitality, and financial sectors.

  • Used WHOIS information to craft highly targeted phishing emails and social engineering attacks.

• Domain Hijacking Attacks:

  • Attackers frequently use WHOIS reconnaissance to identify domains nearing expiration or with weak registration security practices.

  • Once identified, attackers perform domain hijacking or impersonation attacks, leading to significant brand damage and financial loss.

Tools frequently used for WHOIS reconnaissance include:

• Recon-ng (open-source reconnaissance framework)

• Maltego (commercial intelligence gathering platform)

• SpiderFoot (automated OSINT tool)

• DomainTools (commercial WHOIS lookup and monitoring service)

Impacts observed from WHOIS reconnaissance-driven attacks include:

• Successful spear-phishing campaigns leading to credential compromise or malware infections

• Domain hijacking resulting in loss of control over critical organizational assets and brand reputation

• Identification and exploitation of third-party service providers, leading to supply-chain attacks and data breaches