{"id":6423,"date":"2024-02-24T18:45:06","date_gmt":"2024-02-24T13:15:06","guid":{"rendered":"https:\/\/shreshtait.com\/blog\/?p=6423"},"modified":"2024-03-13T21:39:50","modified_gmt":"2024-03-13T16:09:50","slug":"domain-shadowing","status":"publish","type":"post","link":"https:\/\/shreshtait.com\/blog\/2024\/02\/domain-shadowing\/","title":{"rendered":"Domain shadowing"},"content":{"rendered":"\n

Domain shadowing is a technique listed by MITRE ATT&CK as T1584.001<\/a> sub-technique of T1584<\/a> <\/p>\n\n\n\n

\"MITRE
Figure 1 – Domain shadowing as documented by MITRE ATT@CK framework<\/figcaption><\/figure>\n\n\n\n

This technique is not to be confused with subdomain hijacking<\/a><\/p>\n\n\n\n

What is a domain shadowing attack?<\/strong><\/h2>\n\n\n\n
\"Image<\/figure>\n\n\n\n

Threat actors gain control of the DNS control panel of legitimate domain names by brute force and stealthily insert subdomains pointing to the attackers’ network infrastructure.<\/p>\n\n\n\n

The DNS records of the apex domain name are untouched. <\/p>\n\n\n\n

<\/p>\n\n\n\n

Why does domain shadowing attack occur?<\/strong><\/h2>\n\n\n\n

Our hypothesis for the most likely scenario is that the attackers use brute force on the registrants’ domain name control panel. Once successful, stealthy create subdomains under legitimate domain names, which point to the attackers’ infrastructure.<\/p>\n\n\n\n

\"Representation
Figure 2 – Representation of domain shadowing attack using example.com domain name<\/figcaption><\/figure>\n\n\n\n

Here are the reasons why this attack is possible, <\/p>\n\n\n\n