DET0863: Detection of Domains
This detection strategy matters because it points defenders at adversary preparation involving domains, specifically domain or subdomain hijacking under AT...
Analyst context for executives and security teams
This detection strategy matters because it points defenders at adversary preparation involving domains, specifically domain or subdomain hijacking under ATT&CK T1584.001. For leaders, the practical risk is that control of trusted domain assets can become part of targeting activity before an incident is obvious inside the enterprise. The value is in confirming who owns domain oversight, what evidence proves authorized changes, and whether security teams would notice suspicious registrar or ownership activity early enough to respond.
Executive priority
Prioritize this as a governance and resilience question for externally visible digital assets: which business-critical domains and subdomains exist, who can change their registration, and what audit trail would prove whether a change was legitimate. Because the ATT&CK object has no platform, tactic, description, or detection text of its own, executives should treat it as a prompt to validate domain ownership controls, change-management evidence, and incident escalation paths rather than as a complete detection specification.
Technical view
SOC, detection engineering, and IR teams should map this strategy to ATT&CK T1584.001 Domains in the resource-development context. Validate whether the organization can detect unexpected domain registration, registrant, owner contact, or account-access changes, especially where an owner email account may be used to reset access and alter registration. Detection content should distinguish approved registrar administration from suspicious or unauthorized changes using asset inventory, change tickets, and registrar/account audit evidence.
Likely telemetry
- Domain registrar audit logs and account activity where available
- Domain registration or ownership change records, such as registrant/contact updates
- Owner or administrator email account security events related to password reset or account recovery
- Change-management records for approved domain and subdomain administration
- Inventory records for known domains and subdomains
Detection direction
- Confirm that all known domains and subdomains are inventoried and mapped to accountable owners.
- Validate alerting or review processes for domain registration, registrant contact, and account ownership changes.
- Correlate registrar changes with approved change tickets to reduce false positives from legitimate administration.
- Review whether owner email account recovery or password-reset events are monitored, because the related technique description includes adversary access to the domain owner email account as one possible path.
- Document blind spots where registrar audit data, domain inventory, or owner-email telemetry is unavailable to the SOC.
Mitigation priorities
- Establish authoritative ownership and change-control processes for business-critical domains and subdomains.
- Restrict and regularly review who can administer domain registration and related owner contact details.
- Protect email accounts associated with domain ownership and recovery workflows.
- Maintain evidence of authorized domain changes for incident response and compliance review.
- Create an escalation path for suspected unauthorized domain or subdomain registration changes.
Analyst notes and limits
The supplied ATT&CK detection-strategy object DET0863 has no official description or detection text. The only substantive context is its relationship to T1584.001 Domains, which describes adversaries hijacking domains or subdomains during targeting, including possible access to a domain owner email account to change registration.
This take does not assert active exploitation, attribution, specific platforms, or guaranteed detection coverage. Local registrar capabilities, domain inventory quality, email-account logging, and change-management maturity determine whether this strategy can be operationalized.
Detection of Domains
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 8e2f1e37fc82… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0863Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.