Full Report
Easily detect dangling domains to reduce the risk of phishing campaigns and cookie harvesting of organization’s customers.
Analysis Summary
# Tool/Technique: Dangling Domain Detection (Wiz Feature)
## Overview
This summary describes the risk associated with "dangling domains" (DNS records pointing to unowned or decommissioned resources, like those in AWS S3) and introduces Wiz's "Dangling Domain Detection" feature designed to automatically identify these risks for Amazon Route 53 users. Dangling domains can be exploited for domain hijacking, leading to phishing or cookie harvesting.
## Technical Details
- Type: Tool/Feature (Security Monitoring Capability)
- Platform: Amazon Route 53 (AWS) environments; future support for other cloud providers planned.
- Capabilities: Continuously monitors Route 53 DNS records daily to identify records (specifically CNAMEs) that are:
1. Pointing to existing AWS resources but lack an associated S3 bucket.
2. Pointing to an S3 bucket that does not belong to the organization.
- First Seen: Not explicitly mentioned, but announced as a new feature for Wiz Advanced customers.
## MITRE ATT&CK Mapping
The core technique exploited is Subdomain Takeover, which falls under Resource Hijacking.
- **TA0001 - Initial Access** (Indirectly, as the technique enables hijacking for initial access)
- T1536 - Data from Local System (If the hijack leads to credential harvesting)
- **TA0003 - Persistence** (If the attacker maintains control via the hijacked domain)
- **TA0005 - Defense Evasion** (Using legitimate established domain infrastructure)
- **TA0007 - Discovery**
- $\text{T}1596$ - $\text{T}1596$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$ - $\text{T}1596.002$ - $\text{T}1596.002$: $\text{T}1596.002$: External Remote Services (Subdomain Takeover is a form of resource hijacking via external exposure)
## Functionality
### Core Capabilities
- Automatically analyzes AWS Route 53 DNS entries for dangling conditions.
- Provides visibility into domains registered with Amazon Route 53.
- Runs checks daily to ensure continuous protection.
### Advanced Features
- Detects two specific dangling scenarios related to S3 buckets: missing S3 association for a resource-pointing CNAME, or association with an external, non-organization-owned S3 bucket.
- Integrates findings into an external exposures dashboard featuring rich visualizations for early alerting.
- Requires no manual supply of domain lists; works out of the box for AWS customers.
## Indicators of Compromise
*Note: This feature detects *potential* compromise vectors (the dangling record itself), not active malware.*
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (It reports on existing DNS infrastructure configurations that are vulnerable.)
- Behavioral Indicators: DNS records exhibiting a CNAME pointing to an inactive/unsecured AWS resource endpoint.
## Associated Threat Actors
- Bug Bounty Hunters (Known to exploit this low-hanging fruit).
- Generic Hijackers (Actors looking to execute phishing campaigns or cookie harvesting).
## Detection Methods
- Signature-based detection: N/A (This is a configuration auditing tool.)
- Behavioral detection: N/A (It focuses on static configuration auditing of DNS records.)
- YARA rules if available: N/A
## Mitigation Strategies
- **Immediate Action:** Delete unused aliases from the DNS zone when decommissioning services.
- **Proactive Mitigation:** Regularly monitor DNS zones for empty or potentially dangling aliases.
- **Tool Recommendation:** Utilize Wiz's Dangling Domain Detection feature (for AWS customers) for automated, continuous monitoring.
## Related Tools/Techniques
- DNS Hijacking
- Subdomain Takeover (The security concept being mitigated)
- DNS Zone Auditing Tools