Campaigns
DNS Under Siege: The Covert Campaign Hijacking Thousands of Domains

DNS Under Siege: The Covert Campaign Hijacking Thousands of Domains

SittingDucksDomainHijackingPhishing
The "Sitting Ducks" campaign exploits DNS vulnerabilities to hijack over 35,000 domains without accessing owner accounts. It targets domains with weak verification processes and misconfigured authoritative name servers or different DNS providers. Russian cybercriminals primarily use these hijacked domains for phishing, malware distribution, and data theft.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1078-Valid Accounts


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).



Logon Session Metadata

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

DS0002

User Account

User Account Authentication

Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.


T1547-Boot or Logon Autostart Execution


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0022

File

File Creation

Monitor for newly constructed files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.



File Modification

Monitor for changes made to files that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0008

Kernel

Kernel Module Load

Monitor for unusual kernel driver installation activity that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.

DS0011

Module

Module Load

Monitor DLL loads by processes, specifically looking for DLLs that are not recognized or not normally loaded into a process. Look for abnormal process behavior that may be due to a process loading a malicious DLL.

DS0009

Process

OS API Execution

Monitor for API calls that may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems.



Process Creation

Suspicious program execution as autostart programs may show up as outlier processes that have not been seen before when compared against historical data to increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for additions of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.



Windows Registry Key Modification

Monitor for modifications of mechanisms that could be used to trigger autostart execution, such as relevant additions to the Registry.



T1071-Application Layer Protocol


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Observed Countries250

AD (608)
AE (20)
AF (563)
AG (343)
AI (294)
AL (81)
AM (970)
AO (406)
AQ (609)
AR (989)
AS (427)
AT (628)
AU (351)
AW (471)
AX (766)
AZ (118)
BA (226)
BB (37)
BD (431)
BE (66)
BF (456)
BG (824)
BH (231)
BI (821)
BJ (332)
BL (212)
BM (36)
BN (436)
BO (160)
BQ (451)
BR (458)
BS (755)
BT (561)
BV (539)
BW (700)
BY (916)
BZ (803)
CA (168)
CC (775)
CD (655)
CF (51)
CG (426)
CH (508)
CI (784)
CK (33)
CL (514)
CM (676)
CN (734)
CO (74)
CR (327)
CU (455)
CV (122)
CW (855)
CX (938)
CY (51)
CZ (476)
DE (726)
DJ (501)
DK (132)
DM (90)
DO (356)
DZ (941)
EC (607)
EE (290)
EG (135)
EH (690)
ER (713)
ES (456)
ET (979)
FI (839)
FJ (194)
FK (235)
FM (326)
FO (219)
FR (188)
GA (870)
GB (627)
GD (251)
GE (728)
GF (26)
GG (680)
GH (574)
GI (645)
GL (585)
GM (754)
GN (791)
GP (985)
GQ (330)
GR (746)
GS (692)
GT (133)
GU (110)
GW (952)
GY (269)
HK (227)
HM (19)
HN (6)
HR (806)
HT (526)
HU (404)
ID (42)
IE (793)
IL (309)
IM (993)
IN (946)
IO (887)
IQ (376)
IR (497)
IS (884)
IT (853)
JE (339)
JM (776)
JO (922)
JP (493)
KE (60)
KG (353)
KH (233)
KI (87)
KM (242)
KN (777)
KP (990)
KR (610)
KW (210)
KY (574)
KZ (167)
LA (685)
LB (33)
LC (591)
LI (952)
LK (179)
LR (441)
LS (875)
LT (418)
LU (251)
LV (117)
LY (745)
MA (228)
MC (772)
MD (509)
ME (356)
MF (560)
MG (950)
MH (30)
MK (327)
ML (619)
MM (920)
MN (461)
MO (846)
MP (153)
MQ (281)
MR (229)
MS (866)
MT (24)
MU (988)
MV (166)
MW (470)
MX (282)
MY (899)
MZ (129)
NA (366)
NC (368)
NE (85)
NF (536)
NG (934)
NI (275)
NL (493)
NO (297)
NP (372)
NR (136)
NU (749)
NZ (682)
OM (46)
PA (529)
PE (262)
PF (805)
PG (493)
PH (762)
PK (95)
PL (946)
PM (625)
PN (277)
PR (243)
PS (542)
PT (496)
PW (872)
PY (982)
QA (563)
RE (213)
RO (950)
RS (237)
RU (894)
RW (408)
SA (718)
SB (548)
SC (73)
SD (69)
SE (331)
SG (788)
SH (103)
SI (627)
SJ (9)
SK (341)
SL (966)
SM (364)
SN (838)
SO (991)
SR (507)
SS (814)
ST (74)
SV (879)
SX (11)
SY (421)
SZ (544)
TC (939)
TD (80)
TF (347)
TG (385)
TH (414)
TJ (968)
TK (107)
TL (418)
TM (626)
TN (398)
TO (544)
TR (408)
TT (764)
TV (285)
TW (266)
TZ (661)
UA (526)
UG (938)
UM (808)
US (691)
UY (205)
UZ (732)
VA (158)
VC (178)
VE (145)
VG (651)
VI (637)
VN (350)
VU (974)
WF (198)
WS (480)
XK (417)
YE (817)
YT (923)
ZA (283)
ZM (195)
ZW (467)