14,952
edits
Changes
Jump to navigation
Jump to search
Line 1:
Line 1: − + + Line 8:
Line 9: + +
no edit summary
A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]].
A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]].
==Indicators of Compromise==
Indicators of Compromise (IOC)
==Types==
==Types==
Adversaries hijack domains and/or subdomains to target victims.
Adversaries hijack domains and/or subdomains to target victims.
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref>
==Examples==
* Connected with China's 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, [[APT1]] hijacked 141 victim organizations across multiple industries beginning in 2006. APT1 hijacked fully qualified domain names/absolute domain names associated with legitimate websites hosted by hop points.<ref>[https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units APT1:Exposing One of China's Cyberespionage Units, Mandiant]</ref>
==References==
==References==
[[Category:DNS Abuse]]
[[Category:DNS Abuse]]