Difference between revisions of "Compromised Domain"
m (added Category:DNS Abuse using HotCat) |
|||
| Line 1: | Line 1: | ||
A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]]. | A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]]. | ||
| + | ==Types== | ||
| + | Adversaries hijack domains and/or subdomains to target victims. | ||
| + | ===Registration Hijacking=== | ||
| + | Threat actors may change the registration of a domain name without the permission of the original registrant. They may gain access to an email account for the person listed as the owner of the domain and then claim that they forgot their password to change to the domain registration. They could also engage in [[Social Engineering]] with the help desk to gain access to an account or take advantage of renewal process gaps.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref> | ||
| + | ===Subdomain Hijacking=== | ||
| + | Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref> | ||
| + | |||
| + | ==References== | ||
[[Category:DNS Abuse]] | [[Category:DNS Abuse]] | ||
Revision as of 16:48, 3 March 2022
A Compromised Domain has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of DNS Abuse.
Types
Adversaries hijack domains and/or subdomains to target victims.
Registration Hijacking
Threat actors may change the registration of a domain name without the permission of the original registrant. They may gain access to an email account for the person listed as the owner of the domain and then claim that they forgot their password to change to the domain registration. They could also engage in Social Engineering with the help desk to gain access to an account or take advantage of renewal process gaps.[1]
Subdomain Hijacking
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.[2]