DET0847: Detection of Domain Properties
DET0847 is a MITRE ATT&CK detection strategy for identifying activity related to reconnaissance of an organization’s domain properties. The business signif...
Analyst context for executives and security teams
DET0847 is a MITRE ATT&CK detection strategy for identifying activity related to reconnaissance of an organization’s domain properties. The business significance is that domain ownership records, registrars, name servers, business contacts, and related public-facing details can help an adversary shape targeting before any intrusion occurs. Because the supplied ATT&CK object has no official detection text, platforms, or tactics of its own, its value is mainly as a prompt for leaders and defenders to validate whether they can monitor and govern externally visible domain information and recognize suspicious pre-intrusion research where feasible.
Executive priority
Treat this as an external attack-surface and readiness question rather than a guaranteed SOC alerting use case. Leaders should ask who owns domain inventory, registrar hygiene, name server governance, public contact exposure, and evidence that these assets are reviewed. This supports resilience, incident preparation, compliance evidence, and risk prioritization because weak or stale domain property management can increase targeting quality and complicate response.
Technical view
This detection strategy is related to ATT&CK technique T1590.001, Domain Properties, under reconnaissance for PRE platforms. SOC, threat intelligence, and security engineering teams should validate what evidence exists for monitoring domain-related information exposure and changes: owned domains, registrar details, administrative contacts, business addresses, and name server records. Since MITRE provides no official detection logic for this object, teams should avoid assuming coverage and instead document local data sources, enrichment methods, alert criteria, and review workflows.
Likely telemetry
- Authoritative inventory of owned domains and subdomains where available
- Registrar account and domain registration records
- WHOIS/RDAP or equivalent domain ownership and administrative metadata
- DNS and name server records for owned domains
- Change records for domain registration, registrar, name server, and contact details
Detection direction
- Validate whether the organization can distinguish approved domain property changes from unexpected or stale records.
- Use the relationship to T1590.001 to focus on reconnaissance-relevant exposure: domain ownership, registrar data, administrative contacts, business addresses, and name servers.
- Document blind spots where domain property data is managed outside security visibility, such as business-unit-owned domains or third-party-managed registrations.
- Tune any monitoring to reduce noise from legitimate registrar renewals, DNS administration, brand management, and infrastructure migration activity.
- Because no official ATT&CK detection text is supplied, treat DET0847 as a coverage-mapping objective rather than a ready-made analytic.
Mitigation priorities
- Establish or validate a complete inventory of organizational domains and responsible owners.
- Centralize governance for registrar access, domain renewals, contact details, and name server management where practical.
- Minimize unnecessary public exposure in domain administrative records while preserving required registration accuracy.
- Create a documented change-review process for domain property updates and retain evidence for audit and incident response.
- Integrate domain property review into external attack-surface management, threat intelligence workflows, and incident response preparation.
Analyst notes and limits
The only supplied relationship is that this detection strategy detects T1590.001 Domain Properties. That related technique is reconnaissance-focused and concerns adversaries gathering information about victim network domains and their properties. The ATT&CK detection strategy object itself does not specify platforms, tactics, a description, or detection logic, so local implementation details must come from the organization’s asset management, DNS/registrar operations, and external monitoring capabilities.
This take is constrained by sparse official fields: no official description, no official detection guidance, no platforms, and no tactics are provided for DET0847. Recommendations are therefore framed as validation and governance directions tied to the supplied relationship with T1590.001, not as claims of active exploitation, attribution, or guaranteed detection coverage.
Detection of Domain Properties
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1590.001 | Domain Properties Sub-technique | This object detects Domain Properties. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e9871335c05a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0847Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.