cti-ATT-CK-v13.1/pre-attack/attack-pattern/attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a.json

{
    "type": "bundle",
    "id": "bundle--8b2fff14-9376-4a8e-91f2-1449e3a1ab47",
    "spec_version": "2.0",
    "objects": [
        {
            "id": "attack-pattern--3f157dee-74f0-41fc-801e-f837b8985b0a",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "Shadow DNS",
            "description": "This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1340).\n\nThe process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)",
            "external_references": [
                {
                    "source_name": "mitre-pre-attack",
                    "url": "https://attack.mitre.org/techniques/T1340",
                    "external_id": "T1340"
                },
                {
                    "source_name": "CiscoAngler",
                    "description": "Nick Biasini. (2015, March 3). Threat Spotlight: Angler Lurking in the Domain Shadows. Retrieved March 6, 2017.",
                    "url": "https://blogs.cisco.com/security/talos/angler-domain-shadowing"
                },
                {
                    "source_name": "ProofpointDomainShadowing",
                    "description": "Proofpoint Staff. (2015, December 15). The shadow knows: Malvertising campaigns use domain shadowing to pull in Angler EK. Retrieved March 6, 2017."
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "type": "attack-pattern",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-pre-attack",
                    "phase_name": "establish-&-maintain-infrastructure"
                }
            ],
            "modified": "2020-10-26T13:42:49.342Z",
            "created": "2017-12-14T16:46:06.044Z",
            "x_mitre_old_attack_id": "PRE-T1117",
            "x_mitre_version": "1.0",
            "x_mitre_difficulty_for_adversary_explanation": "To successfully conduct this attack, an adversary usually phishes the individual behind the domain registrant account, logs in with credentials, and creates a large amount of subdomains.",
            "x_mitre_difficulty_for_adversary": "Yes",
            "x_mitre_detectable_by_common_defenses_explanation": "Detection of this technique requires individuals to monitor their domain registrant accounts routinely.  In addition, defenders have had success with blacklisting sites or IP addresses, but an adversary can defeat this by rotating either the subdomains or the IP addresses associated with the campaign.",
            "x_mitre_detectable_by_common_defenses": "Partial",
            "x_mitre_deprecated": true
        }
    ]
}