AWS Route 53 Domain Transfer Lock Disabled

  1[metadata]
  2creation_date = "2021/05/10"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2025/12/10"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies when the transfer lock on an AWS Route 53 domain is disabled. The transfer lock protects domains from being
 11moved to another registrar or AWS account without authorization. Disabling this lock removes an important safeguard
 12against domain hijacking. Adversaries who gain access to domain-management permissions may disable the lock as a
 13precursor to unauthorized domain transfer, takeover, or service disruption.
 14"""
 15false_positives = [
 16    """
 17    A domain transfer lock may be intentionally disabled by an authorized administrator to prepare for a planned domain
 18    migration or registrar change. Confirm that the action aligns with an approved change request. You may exempt known
 19    administrative accounts involved in routine domain operations to reduce noise.
 20    """,
 21]
 22from = "now-6m"
 23index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "AWS Route 53 Domain Transfer Lock Disabled"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating AWS Route 53 Domain Transfer Lock Disabled
 33
 34This rule detects when the `DisableDomainTransferLock` operation succeeds for a managed Route 53 domain. The transfer lock
 35prevents unauthorized domain transfers, and disabling it is an uncommon operation outside of planned migrations. Because
 36domains often underpin production workloads (web, API, authentication, email), unauthorized transfer lock changes may
 37indicate adversary preparation for domain hijacking or service disruption.
 38
 39This event should be treated with high urgency whenever it occurs unexpectedly.
 40
 41### Possible investigation steps
 42
 43- **Review the actor**
 44  - Examine `aws.cloudtrail.user_identity.arn` and `user_identity.access_key_id` to confirm who
 45    initiated the change. Validate whether this identity normally performs domain-management tasks.
 46
 47- **Analyze the request context**
 48  - Review `aws.cloudtrail.request_parameters` to identify which domain was affected.
 49  - Confirm no corresponding `operation=TransferDomainToAnotherAwsAccount` or registrar-level modifications occurred
 50    shortly before or after the lock was disabled.
 51  - Note the timestamp and evaluate whether the change occurred during maintenance windows or outside business hours.
 52
 53- **Evaluate activity surrounding the lock disablement**
 54  - Look for subsequent events such as modifications to contact details, attempted transfers, DNS record changes, or updates to hosted zones. Correlate with unusual IAM role usage, newly issued access keys, or anomalous login behavior.
 55
 56- **Validate intent with responsible teams**
 57  - Confirm whether stakeholders (network operations, domain owners, infrastructure leads) initiated or approved the
 58    transfer lock disablement. If unmanaged or unexpected, treat this as a potentially malicious action.
 59
 60### False positive analysis
 61
 62- **Authorized transfer preparation**
 63  - The most common legitimate case is preparation for a planned transfer of ownership or registrar migration. Ensure the
 64    change aligns with a ticketed and approved operation.
 65
 66- **Internal domain restructuring**
 67  - Organizational changes (e.g., merging AWS accounts, consolidating DNS assets) may require disabling the lock. Check
 68    for documented work items or migration plans.
 69
 70- **Automated tooling**
 71  - Rare but possible: Some internal automation used for domain lifecycle management may disable the lock as part of an
 72    update. Validate that any automation using administrative API credentials is documented and approved.
 73
 74### Response and remediation
 75
 76- **Re-enable the transfer lock immediately if unauthorized**
 77  - Restore the lock from Route 53 to prevent any pending or future unauthorized transfer attempts.
 78
 79- **Contain potential credential compromise**
 80  - If the action is suspicious, rotate credentials for the user or role involved and enforce MFA.
 81
 82- **Audit for related domain-level modifications**
 83  - Review CloudTrail logs for:
 84    - attempted domain transfers,
 85    - contact profile changes,
 86    - hosted zone modifications,
 87    - DNS record updates,
 88    - IAM privilege escalations.
 89
 90- **Engage internal owners**
 91  - Notify domain owners, infosec leadership, and operations teams; determine business impact and next steps.
 92
 93- **Strengthen governance**
 94  - Limit domain-management permissions to the minimum set of authorized administrators.
 95  - Consider implementing AWS Organizations service control policies (SCPs) to prevent domain-level actions except
 96    through designated accounts.
 97
 98### Additional information
 99- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
100- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
101- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
102"""
103references = [
104    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html",
105    "https://docs.aws.amazon.com/Route53/latest/APIReference/API_domains_DisableDomainTransferLock.html",
106]
107risk_score = 73
108rule_id = "12051077-0124-4394-9522-8f4f4db1d674"
109severity = "high"
110tags = [
111    "Domain: Cloud",
112    "Data Source: AWS",
113    "Data Source: Amazon Web Services",
114    "Data Source: AWS Route 53",
115    "Use Case: Asset Visibility",
116    "Tactic: Persistence",
117    "Tactic: Resource Development",
118    "Resources: Investigation Guide",
119]
120timestamp_override = "event.ingested"
121type = "query"
122
123query = '''
124event.dataset: aws.cloudtrail 
125    and event.provider: route53domains.amazonaws.com 
126    and event.action: DisableDomainTransferLock 
127    and event.outcome: success
128'''
129
130
131[[rule.threat]]
132framework = "MITRE ATT&CK"
133[[rule.threat.technique]]
134id = "T1098"
135name = "Account Manipulation"
136reference = "https://attack.mitre.org/techniques/T1098/"
137
138
139[rule.threat.tactic]
140id = "TA0003"
141name = "Persistence"
142reference = "https://attack.mitre.org/tactics/TA0003/"
143[[rule.threat]]
144framework = "MITRE ATT&CK"
145[[rule.threat.technique]]
146id = "T1584"
147name = "Compromise Infrastructure"
148reference = "https://attack.mitre.org/techniques/T1584/"
149[[rule.threat.technique.subtechnique]]
150id = "T1584.001"
151name = "Domains"
152reference = "https://attack.mitre.org/techniques/T1584/001/"
153
154
155
156[rule.threat.tactic]
157id = "TA0042"
158name = "Resource Development"
159reference = "https://attack.mitre.org/tactics/TA0042/"
160
161[rule.investigation_fields]
162field_names = [
163    "@timestamp",
164    "user.name",
165    "user_agent.original",
166    "source.ip",
167    "aws.cloudtrail.user_identity.arn",
168    "aws.cloudtrail.user_identity.type",
169    "aws.cloudtrail.user_identity.access_key_id",
170    "event.action",
171    "event.outcome",
172    "cloud.account.id",
173    "cloud.region",
174    "aws.cloudtrail.request_parameters",
175    "aws.cloudtrail.response_elements",
176]