Domains

Domains [T1584.001]

Information

Name: Domains
ID: T1584.001
Tactics:
Technique:

Introduction

Domains () is a sub-technique of the MITRE ATT&CK framework under the technique "Compromise Infrastructure." It involves adversaries obtaining control over legitimate domain names or creating entirely new domains to facilitate malicious activities. Attackers commonly use these domains to host malware, conduct phishing campaigns, establish command-and-control (C2) servers, or otherwise support persistent and stealthy operations. Utilizing legitimate or seemingly legitimate domains allows adversaries to bypass security controls, evade detection, and enhance the perceived credibility of their malicious activities.

Deep Dive Into Technique

Adversaries executing the "Domains" sub-technique typically employ several methods and mechanisms to acquire and leverage domain infrastructure:

Domain Registration and Acquisition:
- Registering new domains through legitimate domain registrars using fake or stolen identities and payment methods.
- Purchasing expired or abandoned domains previously associated with reputable organizations or services to exploit residual trust.
- Hijacking active domains through DNS hijacking attacks, registrar account compromise, or domain transfer fraud.
Domain Configuration and Management:
- Configuring DNS records (A, AAAA, MX, TXT, CNAME, NS) to point to attacker-controlled infrastructure.
- Utilizing dynamic DNS services to quickly rotate IP addresses and evade detection.
- Employing WHOIS privacy protection services to obscure ownership and administrative details.
- Using legitimate cloud providers or Content Delivery Networks (CDNs) to host malicious content, further complicating attribution and detection.
Operational Usage:
- Hosting malicious payloads, phishing pages, exploit kits, or other attack tools.
- Establishing Command-and-Control (C2) servers to manage compromised systems and exfiltrate data.
- Creating subdomains or DNS records to facilitate lateral movement, persistence, or data exfiltration.
- Leveraging domains in spearphishing and social engineering campaigns to deliver malware or steal credentials.

When this Technique is Usually Used

Attackers typically leverage compromised or maliciously registered domains throughout various stages of their campaigns, including:

Initial Access and Delivery:
- Phishing campaigns utilizing domains closely resembling legitimate organizations (typosquatting, homoglyph attacks).
- Drive-by download attacks hosted on attacker-controlled domains.
Command-and-Control (C2) Stage:
- Establishing persistent, resilient C2 infrastructure to remotely control compromised systems.
- Utilizing domain fronting techniques to hide malicious traffic within legitimate domain traffic.
Exfiltration and Post-Exploitation:
- Domains used for data exfiltration, often disguised as legitimate cloud storage or email services.
- Domains configured for lateral movement and persistence through DNS tunneling or domain generation algorithms (DGAs).
Obfuscation and Evasion:
- Rotating domains frequently to evade blacklists, DNS-based filtering, and threat intelligence detection.
- Leveraging legitimate or compromised domains to blend malicious traffic with normal user activity.

How this Technique is Usually Detected

Detection of malicious domain usage involves multiple layers of monitoring, analysis, and security controls. Methods and tools include:

Domain Reputation and Threat Intelligence Feeds:
- Leveraging threat intelligence platforms (e.g., VirusTotal, AlienVault OTX, IBM X-Force Exchange) to identify malicious domains.
- Monitoring domain registration patterns, WHOIS data, and historical DNS records for suspicious activities.
Network Traffic Analysis:
- Detecting anomalous DNS query patterns or requests to newly registered or rarely visited domains.
- Employing DNS monitoring tools (e.g., Cisco Umbrella, OpenDNS, DNSQuerySniffer) to identify suspicious DNS requests.
- Monitoring for DNS tunneling, domain fronting, and domain generation algorithm (DGA) activities through specialized detection tools.
Endpoint Detection and Response (EDR) Tools:
- Identifying processes or applications making connections to suspicious or malicious domains.
- Analyzing endpoint DNS cache and browser history for unusual domain access.
Security Information and Event Management (SIEM) Solutions:
- Correlating network logs, DNS logs, and endpoint data to detect malicious domain usage.
- Implementing detection rules and alerting mechanisms based on known malicious domains or suspicious DNS activity.
Indicators of Compromise (IoCs):
- Suspicious domain registration details (recently registered domains, privacy-protected WHOIS records).
- DNS records frequently changing IP addresses or pointing to known malicious infrastructure.
- Domains closely resembling legitimate organizations (typosquatting, homoglyphs).
- Unusual DNS query patterns indicative of DNS tunneling or DGA activities.

Why it is Important to Detect This Technique

Detecting malicious domain usage is critical due to its significant potential impact on organizational security and operational integrity. Early detection enables organizations to:

Prevent Initial Compromise:
- Blocking malicious domains prevents phishing attacks, malware delivery, and initial infection vectors.
Minimize Damage and Data Loss:
- Early detection of malicious domains used for C2 or exfiltration can significantly reduce the risk of data breaches and loss of sensitive information.
Maintain Operational Continuity:
- Preventing attackers from leveraging compromised domains ensures uninterrupted access to legitimate services and resources.
Enhance Incident Response Capabilities:
- Identification of malicious domain activity provides valuable context and intelligence for incident responders, enabling quicker remediation and containment.
Protect Reputation and Trust:
- Early detection and mitigation of compromised domains prevent attackers from exploiting an organization’s brand or reputation through phishing or spoofing attacks.

Examples

Real-world examples highlighting the use of malicious or compromised domains include:

APT29 (Cozy Bear):
- Utilized domain fronting techniques and legitimate cloud services (e.g., Amazon AWS, Azure) to conceal malicious C2 traffic within legitimate domain traffic, significantly complicating detection.
Magecart Attacks:
- Attackers registered domains resembling legitimate analytics or CDN services to host malicious JavaScript skimmers, stealing credit card data from compromised e-commerce websites.
Emotet Malware Campaigns:
- Frequently employed domain generation algorithms (DGAs) and rapidly rotating domains to establish resilient and evasive C2 infrastructure, complicating detection and mitigation efforts.
Sea Turtle DNS Hijacking Campaign:
- Attackers compromised DNS registrars and DNS infrastructure to redirect legitimate domains to attacker-controlled servers, intercepting sensitive communications and credentials.
SolarWinds Supply Chain Attack:
- Attackers utilized domains registered with privacy protection and hosted on cloud infrastructure to establish C2 channels and exfiltrate sensitive data undetected for extended periods.

These examples illustrate the diverse and sophisticated ways adversaries leverage domains to evade detection, maintain persistence, and achieve strategic objectives.

Last updated 1 month ago

Introduction

Deep Dive Into Technique

Adversaries executing the "Domains" sub-technique typically employ several methods and mechanisms to acquire and leverage domain infrastructure:

Domain Registration and Acquisition:

Registering new domains through legitimate domain registrars using fake or stolen identities and payment methods.
Purchasing expired or abandoned domains previously associated with reputable organizations or services to exploit residual trust.
Hijacking active domains through DNS hijacking attacks, registrar account compromise, or domain transfer fraud.

Domain Configuration and Management:

Configuring DNS records (A, AAAA, MX, TXT, CNAME, NS) to point to attacker-controlled infrastructure.
Utilizing dynamic DNS services to quickly rotate IP addresses and evade detection.
Employing WHOIS privacy protection services to obscure ownership and administrative details.
Using legitimate cloud providers or Content Delivery Networks (CDNs) to host malicious content, further complicating attribution and detection.

Operational Usage:

Hosting malicious payloads, phishing pages, exploit kits, or other attack tools.
Establishing Command-and-Control (C2) servers to manage compromised systems and exfiltrate data.
Creating subdomains or DNS records to facilitate lateral movement, persistence, or data exfiltration.
Leveraging domains in spearphishing and social engineering campaigns to deliver malware or steal credentials.

When this Technique is Usually Used

Attackers typically leverage compromised or maliciously registered domains throughout various stages of their campaigns, including:

Initial Access and Delivery:

Phishing campaigns utilizing domains closely resembling legitimate organizations (typosquatting, homoglyph attacks).
Drive-by download attacks hosted on attacker-controlled domains.

Command-and-Control (C2) Stage:

Establishing persistent, resilient C2 infrastructure to remotely control compromised systems.
Utilizing domain fronting techniques to hide malicious traffic within legitimate domain traffic.

Exfiltration and Post-Exploitation:

Domains used for data exfiltration, often disguised as legitimate cloud storage or email services.
Domains configured for lateral movement and persistence through DNS tunneling or domain generation algorithms (DGAs).

Obfuscation and Evasion:

Rotating domains frequently to evade blacklists, DNS-based filtering, and threat intelligence detection.
Leveraging legitimate or compromised domains to blend malicious traffic with normal user activity.

How this Technique is Usually Detected

Detection of malicious domain usage involves multiple layers of monitoring, analysis, and security controls. Methods and tools include:

Domain Reputation and Threat Intelligence Feeds:

Leveraging threat intelligence platforms (e.g., VirusTotal, AlienVault OTX, IBM X-Force Exchange) to identify malicious domains.
Monitoring domain registration patterns, WHOIS data, and historical DNS records for suspicious activities.

Network Traffic Analysis:

Detecting anomalous DNS query patterns or requests to newly registered or rarely visited domains.
Employing DNS monitoring tools (e.g., Cisco Umbrella, OpenDNS, DNSQuerySniffer) to identify suspicious DNS requests.
Monitoring for DNS tunneling, domain fronting, and domain generation algorithm (DGA) activities through specialized detection tools.

Endpoint Detection and Response (EDR) Tools:

Identifying processes or applications making connections to suspicious or malicious domains.
Analyzing endpoint DNS cache and browser history for unusual domain access.

Security Information and Event Management (SIEM) Solutions:

Correlating network logs, DNS logs, and endpoint data to detect malicious domain usage.
Implementing detection rules and alerting mechanisms based on known malicious domains or suspicious DNS activity.

Indicators of Compromise (IoCs):

Suspicious domain registration details (recently registered domains, privacy-protected WHOIS records).
DNS records frequently changing IP addresses or pointing to known malicious infrastructure.
Domains closely resembling legitimate organizations (typosquatting, homoglyphs).
Unusual DNS query patterns indicative of DNS tunneling or DGA activities.

Why it is Important to Detect This Technique

Detecting malicious domain usage is critical due to its significant potential impact on organizational security and operational integrity. Early detection enables organizations to:

Prevent Initial Compromise:

Blocking malicious domains prevents phishing attacks, malware delivery, and initial infection vectors.

Minimize Damage and Data Loss:

Early detection of malicious domains used for C2 or exfiltration can significantly reduce the risk of data breaches and loss of sensitive information.

Maintain Operational Continuity:

Preventing attackers from leveraging compromised domains ensures uninterrupted access to legitimate services and resources.

Enhance Incident Response Capabilities:

Identification of malicious domain activity provides valuable context and intelligence for incident responders, enabling quicker remediation and containment.

Protect Reputation and Trust:

Early detection and mitigation of compromised domains prevent attackers from exploiting an organization’s brand or reputation through phishing or spoofing attacks.

Examples

Real-world examples highlighting the use of malicious or compromised domains include:

APT29 (Cozy Bear):

Utilized domain fronting techniques and legitimate cloud services (e.g., Amazon AWS, Azure) to conceal malicious C2 traffic within legitimate domain traffic, significantly complicating detection.

Magecart Attacks:

Attackers registered domains resembling legitimate analytics or CDN services to host malicious JavaScript skimmers, stealing credit card data from compromised e-commerce websites.

Emotet Malware Campaigns:

Frequently employed domain generation algorithms (DGAs) and rapidly rotating domains to establish resilient and evasive C2 infrastructure, complicating detection and mitigation efforts.

Sea Turtle DNS Hijacking Campaign:

Attackers compromised DNS registrars and DNS infrastructure to redirect legitimate domains to attacker-controlled servers, intercepting sensitive communications and credentials.

SolarWinds Supply Chain Attack:

Attackers utilized domains registered with privacy protection and hosted on cloud infrastructure to establish C2 channels and exfiltrate sensitive data undetected for extended periods.

These examples illustrate the diverse and sophisticated ways adversaries leverage domains to evade detection, maintain persistence, and achieve strategic objectives.