AWS Route 53 Domain Transfer Lock Disabled
The disabling of the transfer lock on an AWS Route 53 domain is detected, potentially indicating unauthorized domain transfer, takeover, or service disruption by an adversary gaining domain-management permissions.
The disabling of a domain transfer lock within AWS Route 53 is a critical event that can signal malicious activity. The transfer lock is a security feature that prevents unauthorized transfer of a domain to another registrar or AWS account. An attacker who compromises an AWS account with sufficient permissions may disable this lock as a prerequisite for hijacking the domain, potentially leading to service disruption, data exfiltration, or brand damage. This activity is particularly concerning because domains underpin many critical services, including websites, email, and authentication mechanisms. The alert specifically triggers on the DisableDomainTransferLock event within AWS CloudTrail logs, providing visibility into this specific action. The targeted scope includes any AWS Route 53 domains managed by the organization.
Attack Chain
- Initial Access: An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or an IAM role with excessive privileges (T1078, T1098).
- Privilege Escalation (if needed): The attacker escalates privileges within the AWS environment to gain the necessary permissions to manage Route 53 domains (T1068).
- Discovery: The attacker enumerates the Route 53 domains associated with the compromised AWS account (T1082).
- Disable Domain Transfer Lock: The attacker disables the domain transfer lock for a target domain by calling the
DisableDomainTransferLockAPI (T1584.001). - Modify Contact Information: The attacker changes the contact information associated with the domain to gain control over authorization emails (T1586).
- Initiate Domain Transfer: The attacker initiates a transfer of the domain to a registrar or AWS account under their control (T1584.001).
- DNS Manipulation: After the transfer, the attacker modifies DNS records to redirect traffic to malicious servers, enabling phishing attacks or data theft (T1584.001).
- Impact: The attacker disrupts services, steals sensitive information, or conducts further attacks leveraging the hijacked domain.
Impact
A successful domain hijacking can have severe consequences, including website defacement, email interception, and redirection of user traffic to malicious sites. Depending on the criticality of the domain, this could lead to significant financial losses, reputational damage, and legal liabilities. Organizations in all sectors are vulnerable, especially those heavily reliant on online services. The impact is amplified if the hijacked domain is used for authentication or other security-sensitive functions. Without proper detection and response, a domain hijacking can persist for an extended period, causing ongoing harm.
Recommendation
- Deploy the provided Sigma rule to your SIEM to detect instances of
DisableDomainTransferLockevents in AWS CloudTrail logs (logsource: aws.cloudtrail, event.action: DisableDomainTransferLock). - Immediately investigate any detected instances of disabled domain transfer locks, focusing on the user identity (
aws.cloudtrail.user_identity.arn) and request parameters (aws.cloudtrail.request_parameters). - Enforce multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to manage Route 53 domains.
- Implement AWS Organizations service control policies (SCPs) to restrict domain-level actions to designated accounts, as mentioned in the overview.
- Review and restrict domain-management permissions to the minimum set of authorized administrators as per the guide.
- Monitor for modifications to contact details, attempted transfers, DNS record changes, or updates to hosted zones following lock disablement.
Detection coverage 2
AWS Route 53 Domain Transfer Lock Disabled
highDetects when the transfer lock is disabled on an AWS Route 53 domain, which can be a precursor to unauthorized domain transfer.
AWS Route53 Domain Transfer Initiated After Lock Disabled
criticalDetects domain transfer initiated within a short timeframe after disabling the transfer lock.
Detection queries are available on the platform. Get full rules →