- Home
- Techniques
- PRE-ATT&CK
- Shadow DNS
Shadow DNS
The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. [1] [2]
Detection
Detectable by Common Defenses (Yes/No/Partial): Partial
Explanation: Detection of this technique requires individuals to monitor their domain registrant accounts routinely. In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.
Difficulty for the Adversary
Easy for the Adversary (Yes/No): Yes
Explanation: To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.
References
- Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.
- Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved March 6, 2017.