|
Defacement: Subdomain Takeover
AWS Specific Sub-Technique
Other sub-techniques of Defacement (2)
| ID | Name |
|---|---|
| T1491.A001 | Subdomain Takeover |
AWS Specific Content
A prerequisite for this technique is that an organization has a resource that has been deleted or removed, but a DNS record for the resource still exists.
If a threat actor is able to find this condition within an environment, they can reprovision the resource to which the DNS record points, while controlling the content displayed by the resource - this is known as a Subdomain Takeover. Normal users that browse to the resource using its DNS record will be served the content provisioned by the adversary. This tactic is also known as "Dangling DNS" abuse. While the resource creation will have associated API calls, these are typically performed within an AWS account in control of the threat actor, and API calls will be hidden from the victim.
Detection
AWS Specific Content
Periodically review and audit your DNS record configurations and entries, to make sure that CNAME entries are mapped to a resource.
Mitigation
AWS Specific Content
Remove the records that point to the unauthorized resources created by the threat actor, or configure the records to point to a different resource. In general, when working with DNS, always remove CNAME/A/PTR records before removing the underlying resource the record points to.
To remove a record using the Route 53 console:
Sign in to the AWS Management Console and open the Route 53 console. In the navigation pane, choose Hosted zones.