a domain transfer lock may be intentionally disabled by an authorized administrator to prepare for a planned domain migration or registrar change. confirm that the action aligns with an approved change request. you may exempt known administrative accounts involved in routine domain operations to reduce noise.

t1098
t1584
aws
elastic

Techniques

T1098
T1584

Sample rules

AWS Route 53 Domain Transfer Lock Disabled

source: elastic
technicques:
- T1098
- T1584

Description

Identifies when the transfer lock on an AWS Route 53 domain is disabled. The transfer lock protects domains from being moved to another registrar or AWS account without authorization. Disabling this lock removes an important safeguard against domain hijacking. Adversaries who gain access to domain-management permissions may disable the lock as a precursor to unauthorized domain transfer, takeover, or service disruption.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: route53domains.amazonaws.com 
    and event.action: DisableDomainTransferLock 
    and event.outcome: success