AWS Route 53 Domain Transferred to Another Account

  1[metadata]
  2creation_date = "2021/05/10"
  3integration = ["aws"]
  4maturity = "production"
  5updated_date = "2026/01/21"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies when an AWS Route 53 domain is transferred to another AWS account. Transferring a domain changes
 11administrative control of the DNS namespace, enabling the receiving account to modify DNS records, route traffic,
 12request certificates, and potentially hijack operational workloads. Adversaries who gain access to privileged IAM users
 13or long-lived credentials may leverage domain transfers to establish persistence, redirect traffic, conduct phishing, or
 14stage infrastructure for broader attacks. This rule detects successful domain transfer requests.
 15"""
 16false_positives = [
 17    """
 18    Internal account restructuring, mergers and acquisitions, or legitimate ownership transfers between business units
 19    may involve transferring DNS domains to other AWS accounts. Confirm the transfer is approved and documented in
 20    change management processes before taking action. Transfers performed by unfamiliar identities, originating from
 21    atypical locations, or outside expected maintenance windows should be investigated.
 22    """,
 23]
 24from = "now-6m"
 25index = ["filebeat-*", "logs-aws.cloudtrail-*"]
 26language = "kuery"
 27license = "Elastic License v2"
 28name = "AWS Route 53 Domain Transferred to Another Account"
 29note = """## Triage and analysis
 30
 31### Investigating AWS Route 53 Domain Transferred to Another Account
 32
 33Transferring a Route 53 domain to another AWS account is a high-impact administrative action. A successful transfer enables the
 34recipient account to fully manage the domain and all associated DNS resources. Unauthorized transfers can result in loss of
 35visibility and control, traffic redirection, service outages, or domain hijacking for phishing, credential harvesting, or command-and-control.
 36
 37This rule detects successful calls to `TransferDomainToAnotherAwsAccount`. These events are rare and should be considered
 38high-risk unless explicitly documented and approved.
 39
 40### Possible investigation steps
 41
 42- **Identify the actor and authentication context**
 43  - Review `aws.cloudtrail.user_identity.arn` and `aws.cloudtrail.user_identity.access_key_id` to determine who initiated the transfer. Determine whether the actor typically performs Route 53 administrative actions or if this represents anomalous behavior.
 44
 45- **Review request details and target account**
 46  - Inspect `aws.cloudtrail.request_parameters` for: `DomainName`, `AccountId` receiving the transfer, Request tokens or validation parameters. Validate whether the destination AWS account is recognized, trusted, or documented in ownership transfer procedures.
 47
 48- **Assess environment and timing**
 49  - Compare `@timestamp` against maintenance windows, deployment pipelines, or approved domain operations. Review the region and endpoint used; domain transfers occurring from unexpected regions may indicate unauthorized access.
 50
 51- **Analyze source and execution context**
 52  - Review `source.ip`, `source.geo.country_iso_code`, and `user_agent.original` to determine:
 53    - If the request originated from known networks, Whether it matches typical administrator access patterns or if suspicious automation tools, outdated SDK versions, or unknown agents were used.
 54
 55- **Correlate with broader activity**
 56  - Pivot on the same IAM principal or access key ID to identify:
 57    - Recent IAM policy changes or privilege escalation
 58    - `DisableDomainTransferLock`, which normally precedes domain transfers
 59    - AWS console sign-ins from new geolocations or ASNs
 60    - API calls involving certificate requests, hosted zone changes, or DNS record edits
 61  - Look for evidence of lateral movement or credential theft preceding the transfer.
 62
 63- **Validate with business owners**
 64  - Confirm with domain owners, development teams, or asset managers whether The transfer was intentional.
 65
 66### False positive analysis
 67
 68- **Expected domain migrations**
 69  - Organizations with multi-account strategies may transfer domains between operational, security, or sandbox accounts.
 70- **Business events**
 71  - Mergers, acquisitions, or contractual transitions between managed service providers often involve bulk domain transfers.
 72- **Automated administrative tooling**
 73  - Domain lifecycle automation or infrastructure-as-code pipelines may trigger transfers if misconfigured.
 74  
 75### Response and remediation
 76
 77- **Contain and revoke access**
 78  - If unauthorized, immediately invalidate the IAM session or access keys used in the transfer.
 79  - Rotate credentials for the implicated IAM user or role and require MFA for privileged operations.
 80
 81- **Reverse or halt the transfer**
 82  - Contact AWS Support as soon as possible to request assistance reversing or blocking the transfer if it was not approved.
 83  - Re-enable transfer lock (`DisableDomainTransferLock=false`) to prevent further modifications.
 84
 85- **Investigate the extent of compromise**
 86  - Review CloudTrail to identify all actions performed by the actor before and after the transfer.
 87  - Check for additional changes to hosted zones, DNS records, certificates, or registrar contact details.
 88
 89- **Restore operational integrity**
 90  - Validate DNS routing, certificate issuance, and application endpoints for signs of redirection or tampering.
 91  - Communicate with impacted teams and external stakeholders if customer-facing domains were affected.
 92
 93- **Hardening and long-term improvements**
 94  - Restrict domain transfer permissions to a minimal set of roles using IAM Conditions such as `aws:PrincipalArn` and `aws:MultiFactorAuthPresent`
 95  - Consider SCPs to block domain-transfer APIs in production accounts.
 96  - Add change-management tracking for domain ownership modifications.
 97
 98### Additional information
 99- **[AWS IR Playbooks](https://github.com/aws-samples/aws-incident-response-playbooks/blob/c151b0dc091755fffd4d662a8f29e2f6794da52c/playbooks/)** 
100- **[AWS Customer Playbook Framework](https://github.com/aws-samples/aws-customer-playbook-framework/tree/a8c7b313636b406a375952ac00b2d68e89a991f2/docs)** 
101- **[AWS Knowledge Center – Security Best Practices](https://aws.amazon.com/premiumsupport/knowledge-center/security-best-practices/)**
102"""
103references = ["https://docs.aws.amazon.com/Route53/latest/APIReference/API_Operations_Amazon_Route_53.html"]
104risk_score = 73
105rule_id = "2045567e-b0af-444a-8c0b-0b6e2dae9e13"
106severity = "high"
107tags = [
108    "Domain: Cloud",
109    "Data Source: AWS",
110    "Data Source: Amazon Web Services",
111    "Data Source: AWS Route 53",
112    "Use Case: Asset Visibility",
113    "Tactic: Persistence",
114    "Tactic: Resource Development",
115    "Resources: Investigation Guide",
116]
117timestamp_override = "event.ingested"
118type = "query"
119
120query = '''
121event.dataset: aws.cloudtrail 
122    and event.provider: route53domains.amazonaws.com 
123    and event.action: TransferDomainToAnotherAwsAccount 
124    and event.outcome: success
125'''
126
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130[[rule.threat.technique]]
131id = "T1098"
132name = "Account Manipulation"
133reference = "https://attack.mitre.org/techniques/T1098/"
134
135
136[rule.threat.tactic]
137id = "TA0003"
138name = "Persistence"
139reference = "https://attack.mitre.org/tactics/TA0003/"
140[[rule.threat]]
141framework = "MITRE ATT&CK"
142[[rule.threat.technique]]
143id = "T1584"
144name = "Compromise Infrastructure"
145reference = "https://attack.mitre.org/techniques/T1584/"
146[[rule.threat.technique.subtechnique]]
147id = "T1584.001"
148name = "Domains"
149reference = "https://attack.mitre.org/techniques/T1584/001/"
150
151
152
153[rule.threat.tactic]
154id = "TA0042"
155name = "Resource Development"
156reference = "https://attack.mitre.org/tactics/TA0042/"
157
158[rule.investigation_fields]
159field_names = [
160    "@timestamp",
161    "user.name",
162    "user_agent.original",
163    "source.ip",
164    "aws.cloudtrail.user_identity.arn",
165    "aws.cloudtrail.user_identity.type",
166    "aws.cloudtrail.user_identity.access_key_id",
167    "event.action",
168    "event.outcome",
169    "cloud.account.id",
170    "cloud.region",
171    "aws.cloudtrail.request_parameters",
172    "aws.cloudtrail.response_elements",
173]