Skip to content

DS0038 Domain Name

Information obtained (commonly through registration or activity logs) regarding one or more IP addresses registered with human readable names (ex: mitre.org)

Item Value
ID DS0038
Platforms PRE
Collection Layers OSINT
Version 1.0
Created 20 October 2021
Last Modified 20 October 2021

Data Components

Active DNS

Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)

Domain ID Name
enterprise T1583 Acquire Infrastructure
enterprise T1583.001 Domains
enterprise T1584 Compromise Infrastructure
enterprise T1584.001 Domains
enterprise T1584.002 DNS Server

Domain Registration

Information about domain name assignments and other domain metadata (ex: WHOIS)

Domain ID Name
enterprise T1583 Acquire Infrastructure
enterprise T1583.001 Domains
enterprise T1584 Compromise Infrastructure
enterprise T1584.001 Domains

Passive DNS

Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)

Domain ID Name
enterprise T1583 Acquire Infrastructure
enterprise T1583.001 Domains
enterprise T1584 Compromise Infrastructure
enterprise T1584.001 Domains
enterprise T1584.002 DNS Server

References

  1. Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023. 

  2. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.