Tactic: Resource Development

AWS Route 53 Domain Transfer Lock Disabled

Dec 18, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Route 53 Use Case: Asset Visibility Tactic: Persistence Tactic: Resource Development Resources: Investigation Guide ·

Share on:

Identifies when the transfer lock on an AWS Route 53 domain is disabled. The transfer lock protects domains from being moved to another registrar or AWS account without authorization. Disabling this lock removes an important safeguard against domain hijacking. Adversaries who gain access to domain-management permissions may disable the lock as a precursor to unauthorized domain transfer, takeover, or service disruption.

AWS Route 53 Domain Transferred to Another Account

Dec 18, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Route 53 Use Case: Asset Visibility Tactic: Persistence Tactic: Resource Development Resources: Investigation Guide ·

Share on:

Identifies when an AWS Route 53 domain is transferred to another AWS account. Transferring a domain changes administrative control of the DNS namespace, enabling the receiving account to modify DNS records, route traffic, request certificates, and potentially hijack operational workloads. Adversaries who gain access to privileged IAM users or long-lived credentials may leverage domain transfers to establish persistence, redirect traffic, conduct phishing, or stage infrastructure for broader attacks. This rule detects successful domain transfer requests.

AWS Route 53 Private Hosted Zone Associated With a VPC

Dec 18, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS Route 53 Use Case: Asset Visibility Tactic: Persistence Tactic: Resource Development Resources: Investigation Guide ·

Share on:

Identifies when an AWS Route 53 private hosted zone is associated with a new Virtual Private Cloud (VPC). Private hosted zones restrict DNS resolution to specific VPCs, and associating additional VPCs expands the scope of what networks can resolve internal DNS records. Adversaries with sufficient permissions may associate unauthorized VPCs to intercept, observe, or reroute internal traffic, establish persistence, or expand their visibility within an AWS environment.

AWS SNS Topic Created by Rare User

Sep 11, 2025 · Domain: Cloud Data Source: AWS Data Source: Amazon Web Services Data Source: AWS SNS Resources: Investigation Guide Use Case: Threat Detection Tactic: Resource Development Tactic: Impact ·

Share on:

Identifies when an SNS topic is created by a user who does not typically perform this action. Adversaries may create SNS topics to stage capabilities for data exfiltration or other malicious activities. This is a New Terms rule that only flags when this behavior is observed for the first time by a user or role.

Anomalous Linux Compiler Activity

Jan 22, 2025 · Domain: Endpoint OS: Linux Use Case: Threat Detection Rule Type: ML Rule Type: Machine Learning Tactic: Resource Development Resources: Investigation Guide ·

Share on:

Looks for compiler activity by a user context which does not normally run compilers. This can be the result of ad-hoc software changes or unauthorized software deployment. This can also be due to local privilege elevation via locally run exploits or malware activity.