Compromised Domain: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]]. | A '''Compromised Domain''' has legitimate content elsewhere on the domain or evidence that it was once used for legitimate purposes but now shows signs of [[DNS Abuse]]. | ||
==Indicators of Compromise== | |||
Indicators of Compromise (IOC) | |||
==Types== | ==Types== | ||
Adversaries hijack domains and/or subdomains to target victims. | Adversaries hijack domains and/or subdomains to target victims. | ||
| Line 8: | Line 9: | ||
Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref> | Threat actors can also hijack sites by using DNS entries that point to non-existent or de-provisioned subdomains. They can take control of subdomains to conduct operations and take advantage of the trust associated with the site or the organization.<ref>[https://attack.mitre.org/techniques/T1584/001/ Compromised Infracture, MITRE ATT&CK]</ref> | ||
==Examples== | |||
* Connected with China's 2nd Bureau of the People's Liberation Army General Staff Department's 3rd Department, [[APT1]] hijacked 141 victim organizations across multiple industries beginning in 2006. APT1 hijacked fully qualified domain names/absolute domain names associated with legitimate websites hosted by hop points.<ref>[https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units APT1:Exposing One of China's Cyberespionage Units, Mandiant]</ref> | |||
==References== | ==References== | ||
[[Category:DNS Abuse]] | [[Category:DNS Abuse]] | ||