{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/route53/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["AWS Route 53 Resolver"],"_cs_severities":["medium"],"_cs_tags":["aws","cloudtrail","route53","defense_evasion"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAmazon Route 53 Resolver query logs offer crucial insights into DNS activity across VPCs, encompassing lookups from EC2 instances, containers, and Lambda functions. The deletion of a query log configuration immediately halts DNS query and response logging for the associated VPC, creating a monitoring gap. This activity is often associated with defense evasion, where attackers attempt to remove logging to obscure their actions. This detection identifies successful invocations of the \u003ccode\u003eDeleteResolverQueryLogConfig\u003c/code\u003e API call within AWS CloudTrail logs. The scope of impact can range from individual VPCs to entire AWS environments, depending on the breadth of the deleted configuration. Defenders should prioritize investigation to determine whether the deletion was authorized and to identify potential malicious activity that may have been obscured.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account with sufficient privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses compromised credentials or an IAM role to interact with the AWS Management Console, CLI, or SDK.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a Route 53 Resolver Query Log Configuration that is actively logging DNS queries for one or more VPCs.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes the \u003ccode\u003eDeleteResolverQueryLogConfig\u003c/code\u003e API call, specifying the ID of the target query log configuration.\u003c/li\u003e\n\u003cli\u003eAWS CloudTrail logs the \u003ccode\u003eDeleteResolverQueryLogConfig\u003c/code\u003e event with a successful outcome.\u003c/li\u003e\n\u003cli\u003eDNS query and response logging immediately ceases for the VPCs associated with the deleted configuration.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities, such as DNS tunneling or command and control communication, without being logged.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data exfiltration or system compromise, without detection via DNS logs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to a significant reduction in DNS visibility across affected VPCs. Depending on the scope, this can impact a few resources or an entire AWS environment. The immediate consequence is the cessation of DNS query logging, which can obscure ongoing malicious activity, such as command-and-control communication, data exfiltration attempts, or reconnaissance efforts. The lack of DNS data hinders incident response and forensic investigations, making it difficult to identify the scope and impact of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Route 53 Resolver Query Log Configuration Deleted\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eReview IAM permissions and restrict the \u003ccode\u003eroute53resolver:DeleteResolverQueryLogConfig\u003c/code\u003e action to a minimal set of privileged roles.\u003c/li\u003e\n\u003cli\u003eEnable AWS Config rules to detect and alert on missing or deleted Route 53 Resolver Query Log Configurations.\u003c/li\u003e\n\u003cli\u003eInvestigate any deletion of Resolver Query Log Configurations to determine if it was authorized and corresponds to expected operational changes.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e for any unusual IAM roles or user accounts performing the deletion action as identified in the Sigma rule.\u003c/li\u003e\n\u003cli\u003eRe-create the deleted Resolver Query Log Configuration and re-associate it with the affected VPCs to restore DNS visibility immediately.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-14T12:00:00Z","date_published":"2024-05-14T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-05-route53-resolver-deletion/","summary":"Detection of the deletion of an Amazon Route 53 Resolver Query Log Configuration, potentially stopping DNS query and response logging for associated VPCs, which can be used by adversaries to evade detection and suppress forensic evidence.","title":"AWS Route 53 Resolver Query Log Configuration Deleted","url":"https://feed.craftedsignal.io/briefs/2024-05-route53-resolver-deletion/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Route 53"],"_cs_severities":["high"],"_cs_tags":["aws","route53","domain-hijacking","persistence"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThe disabling of a domain transfer lock within AWS Route 53 is a critical event that can signal malicious activity. The transfer lock is a security feature that prevents unauthorized transfer of a domain to another registrar or AWS account. An attacker who compromises an AWS account with sufficient permissions may disable this lock as a prerequisite for hijacking the domain, potentially leading to service disruption, data exfiltration, or brand damage. This activity is particularly concerning because domains underpin many critical services, including websites, email, and authentication mechanisms. The alert specifically triggers on the \u003ccode\u003eDisableDomainTransferLock\u003c/code\u003e event within AWS CloudTrail logs, providing visibility into this specific action. The targeted scope includes any AWS Route 53 domains managed by the organization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an AWS account, possibly through compromised credentials or an IAM role with excessive privileges (T1078, T1098).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges within the AWS environment to gain the necessary permissions to manage Route 53 domains (T1068).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery:\u003c/strong\u003e The attacker enumerates the Route 53 domains associated with the compromised AWS account (T1082).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Domain Transfer Lock:\u003c/strong\u003e The attacker disables the domain transfer lock for a target domain by calling the \u003ccode\u003eDisableDomainTransferLock\u003c/code\u003e API (T1584.001).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eModify Contact Information:\u003c/strong\u003e The attacker changes the contact information associated with the domain to gain control over authorization emails (T1586).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInitiate Domain Transfer:\u003c/strong\u003e The attacker initiates a transfer of the domain to a registrar or AWS account under their control (T1584.001).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDNS Manipulation:\u003c/strong\u003e After the transfer, the attacker modifies DNS records to redirect traffic to malicious servers, enabling phishing attacks or data theft (T1584.001).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attacker disrupts services, steals sensitive information, or conducts further attacks leveraging the hijacked domain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful domain hijacking can have severe consequences, including website defacement, email interception, and redirection of user traffic to malicious sites. Depending on the criticality of the domain, this could lead to significant financial losses, reputational damage, and legal liabilities. Organizations in all sectors are vulnerable, especially those heavily reliant on online services. The impact is amplified if the hijacked domain is used for authentication or other security-sensitive functions. Without proper detection and response, a domain hijacking can persist for an extended period, causing ongoing harm.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances of \u003ccode\u003eDisableDomainTransferLock\u003c/code\u003e events in AWS CloudTrail logs (logsource: aws.cloudtrail, event.action: DisableDomainTransferLock).\u003c/li\u003e\n\u003cli\u003eImmediately investigate any detected instances of disabled domain transfer locks, focusing on the user identity (\u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e) and request parameters (\u003ccode\u003eaws.cloudtrail.request_parameters\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eEnforce multi-factor authentication (MFA) for all AWS accounts, especially those with permissions to manage Route 53 domains.\u003c/li\u003e\n\u003cli\u003eImplement AWS Organizations service control policies (SCPs) to restrict domain-level actions to designated accounts, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eReview and restrict domain-management permissions to the minimum set of authorized administrators as per the guide.\u003c/li\u003e\n\u003cli\u003eMonitor for modifications to contact details, attempted transfers, DNS record changes, or updates to hosted zones following lock disablement.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer-lock-disabled/","summary":"The disabling of the transfer lock on an AWS Route 53 domain is detected, potentially indicating unauthorized domain transfer, takeover, or service disruption by an adversary gaining domain-management permissions.","title":"AWS Route 53 Domain Transfer Lock Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer-lock-disabled/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Route 53"],"_cs_severities":["medium"],"_cs_tags":["cloud","aws","route53","persistence"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eAttackers with sufficient AWS IAM permissions can associate a Route 53 private hosted zone with a Virtual Private Cloud (VPC) to expand the scope of internal DNS resolution, potentially intercepting, observing, or rerouting internal traffic. This activity allows adversaries to establish persistence or expand their visibility within an AWS environment. This association is achieved through the \u003ccode\u003eAssociateVPCWithHostedZone\u003c/code\u003e event. Defenders should monitor for unauthorized associations to prevent attackers from manipulating internal name resolution. The Elastic detection rule was last updated on April 10, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to an AWS account, either through compromised credentials or exploiting a misconfigured IAM role, achieving initial access (TA0001).\u003c/li\u003e\n\u003cli\u003eThe attacker enumerates existing Route 53 hosted zones and associated VPCs to identify potential targets for manipulation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a private hosted zone containing sensitive internal service records or privileged DNS information.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or compromises a VPC within the AWS environment or cross-account.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eAssociateVPCWithHostedZone\u003c/code\u003e API call to associate the attacker-controlled VPC with the targeted private hosted zone.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies DNS records within the associated hosted zone to redirect traffic to attacker-controlled resources.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts internal traffic, observes service discovery processes, or redirects traffic to malicious services (TA0009).\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access by manipulating internal name resolution (TA0003).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to intercept internal traffic, perform reconnaissance, and potentially gain access to sensitive data. The number of victims depends on the scope of the compromised hosted zone and the sensitivity of the data exposed. Targeted sectors could include any organization using AWS Route 53 for internal DNS resolution. If the attack succeeds, internal applications and services may become unavailable or compromised, leading to data breaches and service disruptions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026quot;AWS Route 53 Private Hosted Zone Associated With a VPC\u0026quot; Sigma rule to your SIEM and tune for your environment to detect unauthorized VPC associations.\u003c/li\u003e\n\u003cli\u003eReview \u003ccode\u003eaws.cloudtrail.user_identity.arn\u003c/code\u003e and \u003ccode\u003eaccess_key_id\u003c/code\u003e to identify the actor initiating the association, as mentioned in the investigation steps.\u003c/li\u003e\n\u003cli\u003eLimit \u003ccode\u003eroute53:AssociateVPCWithHostedZone\u003c/code\u003e permissions to specific administrative roles and require MFA for privileged accounts.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eAssociateVPCWithHostedZone\u003c/code\u003e events to identify suspicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-vpc-association/","summary":"An adversary with sufficient permissions may associate unauthorized VPCs to intercept, observe, or reroute internal traffic, establish persistence, or expand their visibility within an AWS environment by associating a Route 53 private hosted zone with a new Virtual Private Cloud (VPC).","title":"AWS Route 53 Private Hosted Zone Associated With Unauthorized VPC","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-vpc-association/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Route 53"],"_cs_severities":["high"],"_cs_tags":["aws","route53","domain-transfer","persistence","resource-development"],"_cs_type":"advisory","_cs_vendors":["AWS"],"content_html":"\u003cp\u003eThis threat brief addresses the unauthorized transfer of an AWS Route 53 domain to another AWS account. Route 53 is a scalable DNS web service, and control over a domain allows an attacker to modify DNS records, reroute traffic, and request certificates. The adversary could gain control by compromising an IAM user or leveraging long-lived credentials. Such a transfer can lead to persistence, traffic redirection, phishing attacks, or the staging of infrastructure for more extensive malicious operations. This activity is detected via CloudTrail logs when the \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e event is successfully invoked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to an AWS account through compromised credentials or IAM role exploitation.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target domain within the Route 53 service.\u003c/li\u003e\n\u003cli\u003eThe attacker may disable the domain transfer lock using \u003ccode\u003eDisableDomainTransferLock\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a domain transfer to an AWS account under their control using the \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e API call.\u003c/li\u003e\n\u003cli\u003eThe transfer is successful, granting the attacker administrative control over the domain's DNS records.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies DNS records to redirect traffic to malicious servers they control.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up phishing sites or redirects legitimate traffic to a command-and-control infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Route 53 domain transfer enables an attacker to fully manage the domain's DNS resources, potentially leading to traffic redirection, service outages, or domain hijacking for phishing or command-and-control. While the exact number of victims and sectors targeted is unknown, unauthorized domain transfers can severely impact any organization relying on AWS for DNS services. This could disrupt service availability, compromise sensitive data through phishing, or enable persistent access to internal networks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eAWS Route 53 Domain Transferred to Another Account\u003c/code\u003e to detect successful \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e events in AWS CloudTrail logs.\u003c/li\u003e\n\u003cli\u003eMonitor AWS CloudTrail logs for \u003ccode\u003eDisableDomainTransferLock\u003c/code\u003e events followed by \u003ccode\u003eTransferDomainToAnotherAwsAccount\u003c/code\u003e as it indicates a possible domain transfer preparation.\u003c/li\u003e\n\u003cli\u003eRestrict domain transfer permissions to a minimal set of roles using IAM Conditions such as \u003ccode\u003eaws:PrincipalArn\u003c/code\u003e and \u003ccode\u003eaws:MultiFactorAuthPresent\u003c/code\u003e as recommended in the \u003ca href=\"https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/\"\u003eAWS Knowledge Center – Security Best Practices\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eImplement change-management tracking for domain ownership modifications, correlating with approved internal requests as noted in the overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/","summary":"An AWS Route 53 domain was transferred to another AWS account, potentially leading to unauthorized control over DNS records and traffic redirection for malicious purposes, such as phishing or establishing persistence.","title":"AWS Route 53 Domain Transferred to Another Account","url":"https://feed.craftedsignal.io/briefs/2024-01-aws-route53-domain-transfer/"}],"language":"en","title":"CraftedSignal Threat Feed - Route53","version":"https://jsonfeed.org/version/1.1"}