DC0101: Domain Registration

"Domain Name: Domain Registration" data component captures information about the assignment, ownership, and metadata of domain names. This information is often sourced from registries like WHOIS and includes details such as registrant names, contact information, registration dates, expiration dates, and registrar details. This data is invaluable for tracking domain ownership, detecting malicious domain registrations, and identifying trends in adversary behavior. Examples:

- Registrant Information: WHOIS lookup of example.com - Registration and Expiration Dates: A domain registered a week before being used in phishing attacks. - Domain Status: Status codes like clientTransferProhibited or serverHold indicate domain restrictions or potential hijacking activity. - Name Server Information: Name servers point to a public DNS provider often associated with malicious campaigns. - Privacy Protection: A domain uses WHOIS privacy protection to hide registrant details.

This data component can be collected through the following measures:

- WHOIS Services: Use tools or services to perform WHOIS lookups: - WHOIS APIs: Automate domain registration lookups with APIs: - Registrar Platforms: Directly query domain registrars (e.g., GoDaddy, Namecheap) for detailed registration data. - Threat Intelligence Platforms: Integrate domain registration data from services like Recorded Future, RiskIQ, or PassiveTotal for enriched analysis.

EnterpriseDC0101Data ComponentObject v2.0 Modified Oct 21, 2025, 15:14 UTC (UTC+00:00)

Domain Registration data helps teams understand who registered a domain, when it was created or expires, which registrar and name servers are involved, and whether privacy or status controls are present. For business leaders, its value is not in the WHOIS record itself, but in making faster decisions about suspicious domains seen in phishing, brand abuse, fraud investigations, or incident response triage.

Executive priority

Treat domain registration visibility as supporting evidence for threat intelligence, SOC triage, incident response, and compliance documentation. Leaders should ask whether the organization can enrich suspicious domains with registration metadata quickly enough to support containment, takedown escalation, user warning decisions, and investigation prioritization. This is especially useful when a newly registered domain, hidden registrant details, unusual registrar patterns, or concerning domain status appears alongside other suspicious activity.

Technical view

SOC and IR teams should validate that domain indicators from alerts, email investigations, proxy/DNS review, and threat intelligence workflows can be enriched with registration data. Useful fields include registrant information where available, registration and expiration dates, registrar, domain status codes, name server information, and privacy-protection indicators. ATT&CK does not provide a detection analytic for this data component, so teams should use it as enrichment and correlation evidence rather than a standalone detection source.

Likely telemetry

WHOIS lookup results
WHOIS API enrichment records
Registrar query results
Threat intelligence platform enrichment for domains
Domain registration and expiration dates

Detection direction

Validate that domain enrichment is available in SOC and incident response workflows for domains observed in alerts or investigations.
Correlate recent registration dates, registrar details, name servers, status codes, and privacy-protection usage with other evidence before escalating; these attributes alone are not proof of malicious activity.
Tune workflows to reduce false positives from legitimate new domains, privacy-protected registrations, and common public DNS or registrar usage.
Check whether enrichment sources return current, historical, and normalized registration data, because WHOIS visibility and field availability can vary.
Document gaps where domain registration data is unavailable, delayed, rate-limited, or not integrated into alert triage.

Mitigation priorities

Prioritize reliable access to WHOIS, WHOIS API, registrar, or threat intelligence enrichment sources for SOC and IR use cases.
Integrate domain registration enrichment into phishing, DNS, proxy, email, and threat intelligence review processes.
Create triage guidance for when domain registration attributes should trigger deeper investigation, escalation, or business notification.
Maintain evidence-handling procedures so domain registration metadata can support incident timelines, takedown requests, and compliance reporting.
Review enrichment coverage and data quality periodically, especially for domains using privacy protection or registrars with limited public details.

Analyst notes and limits

This object is a data component, not a technique, and no ATT&CK tactics, platforms, detections, or relationships were supplied. The practical value is therefore in enrichment, correlation, and investigative context. Domain registration metadata is strongest when combined with local telemetry such as email, DNS, proxy, endpoint, or incident case data, but those relationships are not specified in the supplied object.

The supplied ATT&CK object provides a description and collection examples but no official detection text, platform scope, tactics, or relationship context. This take does not assert maliciousness, active exploitation, attribution, or guaranteed coverage from domain registration data alone.

Official MITRE ATT&CK definition

Domain Registration

This data component can be collected through the following measures:

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.0
Created: Oct 20, 2021, 15:05 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:14 UTC (UTC+00:00)
Raw hash: df8d809eec0fb44b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	2.0	Oct 21, 2025, 15:14 UTC (UTC+00:00)	Current bundle	`df8d809eec0f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DC0101
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use