AN1995: Analytic 1995

Monitor for logged domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet. Monitor for queried domain name system (DNS) registry data that may hijack domains and/or subdomains that can be used during targeting. In some cases, abnormal subdomain IP addresses (such as those originating in a different country from the root domain) may indicate a malicious subdomain.[1] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

EnterpriseAN1995AnalyticObject v1.0 Modified Oct 21, 2025, 15:10 UTC (UTC+00:00)

AN1995 matters because malicious changes in DNS registration or resolution data can make domains or subdomains look legitimate while supporting targeting or later command-and-control activity. For leaders, the key issue is visibility: ATT&CK notes that much of this activity may occur outside the target organization’s normal monitoring, so DNS registry and resolution monitoring is a preparedness and threat-intelligence problem as much as a SOC alerting problem.

Executive priority

Prioritize this analytic where the business depends on trusted domains, customer-facing web properties, partner trust, or strong pre-incident warning. Executives should ask whether security teams know which domains are important, who can change registration or DNS records, and what evidence would prove anomalous registrant or resolution changes were reviewed. This supports incident readiness, brand and trust protection, and compliance evidence for monitoring critical internet-facing assets.

Technical view

SOC and detection teams should validate whether they can monitor logged or queried DNS registry data, registrant information, and domain resolution information for domains of interest. The analytic highlights anomalous subdomain IP addresses, including IPs originating from a different country than the root domain, as a possible signal. Because benign DNS and registration changes are common and much activity may be outside direct visibility, detections should be scoped to known critical domains and enriched with passive DNS, registrar context, change history, and later-stage command-and-control observations when available.

Likely telemetry

DNS registry, WHOIS, or RDAP records for domains of interest
Domain registrant information and change history
DNS resolution data for root domains and subdomains
Passive DNS observations, where available
Authoritative DNS record changes for owned or monitored domains

Detection direction

Baseline expected registrant data, name servers, authoritative DNS records, and normal subdomain resolution patterns for critical domains.
Monitor for anomalous registrant or resolution changes, especially unexpected subdomains or IP geolocation differences from the root domain’s expected profile.
Tune detections carefully because legitimate registration, hosting, CDN, and DNS changes are common on the internet.
Account for the ATT&CK-noted blind spot that much of this behavior may occur outside the target organization’s visibility.
Correlate suspicious registry or resolution changes with related lifecycle evidence, especially command-and-control DNS activity, rather than relying on registry anomalies alone.

Mitigation priorities

Maintain an authoritative inventory of business-critical domains and subdomains to define monitoring scope.
Ensure registrar and DNS provider change logging is enabled and retained for domains the organization controls.
Use strong governance for domain administration, including controlled change processes and review of registrant and DNS modifications.
Establish threat-intelligence or external monitoring for domains of interest where internal telemetry is insufficient.
Prepare incident response procedures for validating suspicious DNS or registrant changes and escalating potential domain compromise.

Analyst notes and limits

This is a detection analytic, not a technique description. ATT&CK provides a PRE platform value but no tactic, no formal detection field, and no relationship context. The strongest use is as a validation prompt for external DNS/registry visibility and for correlation with later command-and-control activity.

The supplied fields do not identify specific adversaries, active exploitation, affected organizations, guaranteed detection logic, or concrete mitigations. Local domain inventory, registrar access, DNS provider data, and external visibility determine whether this analytic is actionable.

Official MITRE ATT&CK definition

Analytic 1995

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Raw hash: ed6669e6b0dda815...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Oct 21, 2025, 15:10 UTC (UTC+00:00)	Current bundle	`ed6669e6b0dd…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Palo Alto Unit 42 Domain Shadowing 2022

Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023.
Open source URL
[2]
Palo Alto Unit 42 Domain Shadowing 2022

Janos Szurdi, Rebekah Houser and Daiping Liu. (2022, September 21). Domain Shadowing: A Stealthy Use of DNS Compromise for Cybercrime. Retrieved March 7, 2023.
Open source URL
[3]
mitre-attack AN1995
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use