The Domain Hijacking Auditor helps you prevent domain takeovers by malicious actors, possible due to misconfigurations in your environment.
If you create a DNS record and point it to a cloud resource, such as an S3 Bucket or an EC2 Instance IP, if you delete the resource you are referencing in your record, anyone else can create the resource in question and are now able to serve content to your users and customers from a legitimate domain name and trick people into providing for example login information.
The auditor uses information from all provided DNSZone and DNSRecords and checks to see if they point to a known vulnerable service, and if the do it will ensure that the resource in question is known to the Probator system. Some checks are able to go further and alert if the resource does exist but is not tracked in any of your accounts, as that may mean it has already been exploited.
Unlike other auditors, which will notify the owners of the accounts, since the DNS and resources could potentially be on seperate accounts this auditor uses a list of email addresses from a configuration setting instead, and you would include your security team / SOC email addresses in this list.
| Option name | Default Value | Type | Description |
|---|---|---|---|
enabled |
False |
bool |
Enable the DomainHijacking auditor |
interval |
60 |
int |
Run frequency in minutes |
email_recipients |
None | array |
List of email addresses to receive alerts |
hijack_subject |
Potential hijack detected |
string |
Subject of the email alert |