internal account restructuring, mergers and acquisitions, or legitimate ownership transfers between business units may involve transferring dns domains to other aws accounts. confirm the transfer is approved and documented in change management processes before taking action. transfers performed by unfamiliar identities, originating from atypical locations, or outside expected maintenance windows should be investigated.

t1098
t1584
aws
elastic

Techniques

T1098
T1584

Sample rules

AWS Route 53 Domain Transferred to Another Account

source: elastic
technicques:
- T1098
- T1584

Description

Identifies when an AWS Route 53 domain is transferred to another AWS account. Transferring a domain changes administrative control of the DNS namespace, enabling the receiving account to modify DNS records, route traffic, request certificates, and potentially hijack operational workloads. Adversaries who gain access to privileged IAM users or long-lived credentials may leverage domain transfers to establish persistence, redirect traffic, conduct phishing, or stage infrastructure for broader attacks. This rule detects successful domain transfer requests.

Detection logic

event.dataset: aws.cloudtrail 
    and event.provider: route53domains.amazonaws.com 
    and event.action: TransferDomainToAnotherAwsAccount 
    and event.outcome: success