- Home
- Techniques
- PRE-ATT&CK
- Domain registration hijacking
Domain registration hijacking
Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. [1]
Procedure Examples
Name | Description |
---|---|
APT1 |
APT1 hijacked FQDNs associated with legitimate websites hosted by hop points. Mandiant considers them to be "hijacked" since they were originally registered for a legitimate reason but are used by APT1 for malicious purposes.[2] |
Detection
Detectable by Common Defenses (Yes/No/Partial): No
Explanation: Generally not easily detectable unless domain registrar provides alerting on any updates.
Difficulty for the Adversary
Easy for the Adversary (Yes/No): Yes
Explanation: Requires adversary to gain access to an email account for person listed as the domain registrar/POC. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or take advantage of renewal process gaps.
References
- ICANN Security and Stability Advisory Committee. (2005, July 12). DOMAIN NAME HIJACKING: INCIDENTS, THREATS, RISKS, AND REMEDIAL ACTIONS. Retrieved March 6, 2017.