T1590.001, Reconnaissance

Domain Properties

Adversaries enumerate victim domain registrations, WHOIS records, registrar details, name servers, creation and expiry dates, to map infrastructure and organizational structure...

🔍 RECON ACTIVE

● WHOIS Lookup Interface

Domain Name

quantumresearchlabs.com

Registrar

GoDaddy.com, LLC

Creation Date

2019-03-15T08:22:14Z

Expiry Date

2025-03-15T08:22:14Z

Name Servers

ns01.cloudflare.com

Registrant

Lisa Chang, IT Director

● Domain Registration Timeline

quantumresearchlabs.com lifecycle

Created Transferred Expiring

dns-records.infra lifecycle

2018 2020 2023 2026

api.quantumresearchlabs.com lifecycle

2021 2023 2025

🔍 Bulk Domain Query

quantumresearchlabs.com DONE

qr-labs.net DONE

qrcloud.io ACTIVE

quantumresearchlabs-security.com QUEUE

WHOIS DATA

🎯 Domain Fingerprint

OrgQuantum Research Labs

RegistrarGoDaddy

DNSCloudflare

SSLLet's Encrypt

Admin[email protected]

Expiry14 days

RiskHIGH

💻

IT Department

Lisa Chang (Dir.)

J. Rodriguez (Admin)

🏠

Infrastructure

Cloudflare CDN

AWS us-east-1

🔐

Security Posture

No WHOIS Privacy

No Domain Lock

WHOIS Enumerating

DNS Records Mapped

Registrar Identified

Org Chart Built

Domains Queried Per Minute

2,847

queries/sec

Automated WHOIS reconnaissance at scale

@keyframes counterFlicker{ 0%,90%{opacity:1} 92%{opacity:.6} 94%{opacity:1} 96%{opacity:.4} 98%{opacity:1} 100%{opacity:1} }

⚠ Critical Intelligence

Why Domain Properties Matter

87%

of org domains expose WHOIS data publicly

350M+

registered domains as WHOIS intel sources

73%

of domain hijacks start with WHOIS enumeration

$4.9M

average cost of a successful domain hijack

Domain properties reveal the registrar, hosting provider, name servers, creation dates, and organizational contacts associated with a target's online presence. This information identifies the technology stack, hosting infrastructure, and administrative contacts that adversaries use to plan further attacks. When WHOIS records are publicly accessible, an attacker can determine which registrar manages the domain, which DNS provider handles resolution, when the domain registration expires, and who the administrative and technical contacts are. This creates a comprehensive map of the target's external digital footprint without requiring any privileged access whatsoever.

The cybersecurity implications are severe and well-documented. CISA has warned about DNS infrastructure hijacking campaigns targeting domain registrations (Advisory AA19-024A), where state-sponsored actors systematically exploited weak domain management controls to redirect traffic, intercept communications, and impersonate legitimate services. These campaigns demonstrated that a single compromised domain registration can cascade into complete infrastructure takeover, affecting email, web applications, VPN endpoints, and internal service communications simultaneously across an organization's entire digital presence.

Domain hijacking and lookalike domain registration are rapidly growing threats that directly leverage WHOIS intelligence. According to Fortinet's 2025 Threat Landscape Report, adversaries register thousands of lookalike domains targeting Fortune 500 companies every quarter, using automated WHOIS harvesting to identify the exact domain portfolios, subdomain conventions, and naming patterns that make their phishing campaigns indistinguishable from legitimate communications. Domain WHOIS data also reveals organizational hierarchy, IT team contacts, and security posture indicators that enable highly targeted social engineering operations against specific individuals within the organization.

MITRE ATT&CK T1590.001 CISA AA19-024A CISA Malware & Phishing NIST CSWP.29 Fortinet 2025 Report

📚 Foundation

Key Terms & Concepts

Simple Definition

Domain Properties (T1590.001) is a sub-technique under MITRE ATT&CK's Reconnaissance tactic where adversaries gather information about a victim's registered domain names, including registrar details, DNS hosting provider, creation and expiration dates, name servers, administrative contacts, and domain ownership history. This information reveals the target's hosting infrastructure, technology providers, and organizational structure. Attackers use publicly available WHOIS databases, DNS enumeration tools, certificate transparency logs, and passive DNS repositories to build comprehensive profiles of victim domains. The collected intelligence supports subsequent attack phases including domain hijacking, lookalike domain registration, DNS spoofing, and targeted social engineering campaigns against identified personnel. This technique requires no special permissions or credentials, as domain registration data is inherently public by design.

Everyday Analogy

Think of a domain name like a property deed. It tells you who owns the land (registrant), who manages it (registrar), when it was purchased (creation date), when the lease runs out (expiry date), and who provides the utilities (name servers and hosting provider). A burglar who accesses property records can learn exactly when your alarm system was installed, which security company you use, when your contract expires, and who has the spare keys, all without ever visiting your house. Similarly, WHOIS data exposes when a company registered their domain, which provider they trust with their DNS, who handles their IT administration, and when their domain might lapse. Armed with this information, an attacker can time a domain hijacking attempt for the moment a registration expires, impersonate the IT admin to social-engineer the registrar, or register lookalike domains that mimic the target's naming conventions to deceive employees and customers alike. The property records are public, and so are domain registration records.

🔗 How WHOIS Data Chains Into Broader Attacks

Domain properties rarely serve as an endpoint in adversary operations. Instead, they function as a critical enabler that feeds intelligence into multiple downstream attack paths. A registrar identifier reveals which support channels an attacker can target with social engineering. Name server records expose the DNS infrastructure provider and its known vulnerabilities. Creation dates help estimate the organization's maturity and likely security investments. Expiry dates identify timing windows for domain takeover attempts. Administrative contact emails, when exposed, become direct targets for spear-phishing campaigns. Even the choice of privacy protection services, or lack thereof, signals the organization's security awareness level and helps adversaries calibrate the sophistication of their approach. Each data point compounds with others to form an increasingly detailed operational picture that guides every subsequent phase of the attack lifecycle.

Related Concepts & Terminology

Term	Definition
WHOIS Protocol	TCP-based query/response protocol (port 43) for querying domain registration databases
RDAP	Registration Data Access Protocol, modern WHOIS replacement with structured JSON output
Domain Lock	Registrar feature preventing unauthorized domain transfers (clientTransferProhibited status)
WHOIS Privacy	Service that replaces registrant PII with proxy contact information in public records
Passive DNS	Historical DNS record repositories that track resolution changes over time
CT Logs	Certificate Transparency logs that reveal all TLS certificates issued for a domain

📄 Case Study

Real-World Scenario

👤 Character: Lisa Chang, Domain Manager at Quantum Research Labs

Lisa Chang manages the domain portfolio for Quantum Research Labs, a mid-size biotech company with 2,400 employees and a growing international research presence. When she assumed the role, the company's domain management was fragmented across multiple registrars with inconsistent security controls, and she inherited a digital footprint that had grown organically without centralized oversight for over six years. Her journey from vulnerable to hardened domain operations illustrates the real-world impact of T1590.001 reconnaissance and the defensive measures that can neutralize this attack vector entirely.

🔴 Before: WHOIS Records Fully Exposed

Quantum Research Labs had domain WHOIS records publicly accessible across all 23 registered domains, revealing administrative contacts, the hosting provider (a mid-tier shared hosting service), exact domain expiry dates, and the registrar's identity (GoDaddy). An adversary discovered through passive WHOIS enumeration that the company's primary domain was set to expire in just 14 days, the registrar offered minimal security controls without mandatory two-factor authentication, and the administrative email followed a predictable first-initial-last-name format ([email protected]). The attacker attempted domain hijacking by contacting GoDaddy support with spoofed administrative credentials, claiming an urgent ownership transfer request. Simultaneously, they registered 15 lookalike domains including quantumresearch-labs.com, quantumresearchlabs-security.com, and qr-labs-portal.net to launch sophisticated phishing campaigns targeting employees across all departments with convincing emails that appeared to originate from legitimate internal services.

🔴 Attack Escalation: Infrastructure Mapping

Using the WHOIS intelligence gathered from the primary domain, the attacker systematically queried all discovered subdomains and related domains through automated bulk WHOIS lookups. They identified that Quantum Research Labs used Cloudflare for DNS resolution on their main site but had four subdomains still resolving through a legacy DNS provider with known authentication bypass vulnerabilities. The creation dates of various domains revealed that the company had undergone a merger two years prior, resulting in two separate domain portfolios with different registrars and security configurations. The attacker mapped the complete organizational hierarchy from WHOIS contact records, identifying the IT director, network administrator, CTO, and even the legal department contact who managed trademark-related domain registrations. This intelligence enabled precision-targeted spear-phishing emails that impersonated the CTO requesting urgent DNS changes, nearly succeeding before a vigilant system administrator noticed discrepancies in the email headers.

🟢 After: Comprehensive Domain Hardening

Lisa Chang overhauled Quantum Research Labs' entire domain management program. She enabled WHOIS privacy protection on all 23 domains immediately, masking registrant contact information behind privacy proxy services. She implemented registrar-level domain locks with clientTransferProhibited and clientDeleteProhibited statuses on every domain, requiring authenticated support calls with predetermined security questions for any modification requests. She consolidated the domain portfolio to a single enterprise-grade registrar offering multi-factor authentication and account-level security controls. Automated domain renewal was configured with 90-day advance notifications and auto-renewal enabled, eliminating the expiry window vulnerability entirely. Lisa registered 38 defensive lookalike domains covering common typosquatting variations and deployed DMARC with reporting (p=quarantine, rua aggregated reports) to monitor for unauthorized email usage of their domains. She subscribed to commercial domain monitoring services that provide real-time alerts whenever new domains are registered containing the company name or trademark terms, and she established quarterly domain portfolio audits to identify and remediate any configuration drift or newly exposed WHOIS data across the organization's expanding digital footprint.

🛡 Actionable Defense

7-Step Domain Property Protection Guide

Enable WHOIS Privacy Protection

Activate WHOIS privacy or domain proxy services on every registered domain to mask registrant contact details from public query results and automated harvesting tools.

Enable through your registrar's privacy add-on (often free with enterprise plans)
Verify privacy is active using third-party WHOIS lookup tools from outside your network
Ensure privacy covers administrative, technical, and billing contacts

Implement Registrar-Level Domain Locks

Enable clientTransferProhibited and clientDeleteProhibited statuses to prevent unauthorized domain transfers, deletions, or modifications without explicit authentication.

Activate registry lock for mission-critical domains (requires phone verification for changes)
Document lock procedures and ensure multiple authorized contacts are registered
Audit lock status monthly and verify no unauthorized status changes have occurred

Automate Domain Renewal with Extended Alerts

Configure auto-renewal on all domains and establish notification chains that alert multiple stakeholders well before any domain approaches its expiration date.

Enable auto-renewal with a payment method that won't expire before the domain does
Set calendar alerts at 90, 60, and 30 days before expiry for critical domains
Register domains for maximum allowable terms (typically 10 years) to reduce exposure

Register Defensive Lookalike Domains

Proactively register common typosquatting variations, homograph variants, and keyword-associated domains to prevent adversaries from establishing convincing phishing infrastructure.

Cover common typos (transpositions, omissions, doubled letters) for your primary domain
Register domains with security-related keywords (e.g., -security, -login, -portal)
Monitor new gTLD launches for additional extensions that match your brand name

Deploy DMARC with Reporting

Implement DMARC (Domain-based Message Authentication, Reporting and Conformance) with aggregate and forensic reporting to detect and prevent unauthorized use of your domains in email.

Start with p=none for monitoring, then progress to p=quarantine and eventually p=reject
Configure rua (aggregate) and ruf (forensic) report destinations
Analyze DMARC reports weekly for unauthorized senders attempting to use your domains

Subscribe to Domain Monitoring Services

Deploy commercial or open-source domain monitoring that provides real-time alerts when new domains are registered containing your organization's name, trademarks, or key personnel identifiers.

Configure alerts for exact match, fuzzy match, and keyword proximity variations
Monitor WHOIS changes on your own domains (registrar, nameserver, contact modifications)
Integrate alerts into your SOC workflow for rapid investigation and response

Conduct Quarterly Domain Portfolio Audits

Establish a regular audit cadence to inventory all registered domains, verify security controls, review WHOIS exposure, and identify orphaned or forgotten domain assets that may have drifted into vulnerable configurations.

Maintain a centralized inventory of all domains with responsible owners and renewal dates
Test WHOIS privacy effectiveness from external networks at each audit cycle
Review and revoke any unnecessary registrar account access or outdated credentials

✅ Common Pitfalls

Mistakes & Best Practices

❌ Common Mistakes

Leaving WHOIS records publicly accessible, exposing admin contacts, email addresses, and organizational structure to anyone who queries the registration database
Using free or low-tier registrars without domain lock features, two-factor authentication, or transfer protection, making hijacking trivially simple
Forgetting to renew domain registrations or relying on a single person to manage renewals, creating catastrophic single points of failure for the entire web presence
Ignoring lookalike domain registrations until phishing campaigns are already actively targeting employees, customers, or partners using convincing spoofed domains
Scattering domains across multiple registrars without centralized management, creating blind spots where individual domains silently lose security controls
Using predictable email patterns in WHOIS records ([email protected]) that enable automated harvesting and highly targeted spear-phishing attacks
Failing to audit DNSSEC configuration, leaving domains vulnerable to cache poisoning attacks that redirect legitimate traffic to attacker-controlled infrastructure

✓ Best Practices

Enable WHOIS privacy protection on every registered domain without exception, and verify its effectiveness quarterly using independent WHOIS lookup services
Consolidate domains to an enterprise registrar with registry lock, MFA, and dedicated account management, treating domain credentials as crown jewels
Implement auto-renewal on all domains with backup payment methods and establish multi-channel alerting at 90, 60, and 30 days before expiry
Deploy automated brand monitoring that detects new domain registrations containing company names, trademarks, or executive names within hours of creation
Maintain a comprehensive domain inventory spreadsheet or CMDB entry with owners, renewal dates, registrar accounts, and security control status for each domain
Use dedicated role-based email addresses for WHOIS contacts ([email protected]) rather than personal addresses, monitored by a distribution list rather than individuals
Implement DNSSEC with signed zones on all authoritative DNS servers, and validate DNSSEC chains from recursive resolvers used by employees and customers

⚔ Adversary vs Defender

Red Team & Blue Team Perspectives

RED TEAM

🔴 Offensive: Domain Intelligence Harvesting

Red team operators begin domain property enumeration by querying WHOIS databases through bulk lookup tools and APIs to extract maximum intelligence from target domain registrations. They use automated tools like Amass, Sublist3r, and custom WHOIS scraping scripts to enumerate the complete domain portfolio, including subdomains, related domains from certificate transparency logs, and historical WHOIS records from passive DNS repositories. The goal is to build a comprehensive infrastructure map that reveals hosting providers, DNS configurations, technology stacks, organizational contacts, and potential vulnerabilities in the target's domain management practices.

Key offensive techniques include identifying domains approaching expiry for timing hijacking attempts, locating registrars with weak authentication controls for social engineering, mapping name server infrastructure to identify shared hosting environments that could provide lateral movement opportunities, and harvesting administrative contact information for crafting convincing spear-phishing campaigns. Red teams also analyze WHOIS history to identify recent domain transfers, ownership changes, or DNS provider migrations that might indicate periods of transition where security controls are temporarily weakened. They catalog the complete timeline of domain lifecycle events to identify patterns and predict future behavior, ultimately selecting the highest-probability attack paths based on the gathered intelligence.

Amass Sublist3r theHarvester SecurityTrails API crt.sh WHOIS XML API

BLUE TEAM

🔵 Defensive: Domain Footprint Reduction

Blue team defenders focus on minimizing the attack surface exposed through domain properties while maintaining operational functionality. The defensive strategy centers on reducing public information exposure, hardening registrar configurations, implementing monitoring for unauthorized domain activity, and establishing rapid response procedures for domain-related incidents. Defenders regularly audit their organization's WHOIS exposure from external perspectives, verify that privacy protections are functioning correctly, and ensure that domain lock mechanisms are properly configured on every registered domain in the portfolio.

Key defensive measures include deploying DMARC to prevent unauthorized domain use in email, subscribing to domain monitoring services that alert on new lookalike registrations, implementing DNSSEC to prevent DNS spoofing and cache poisoning attacks, and maintaining comprehensive documentation of the domain portfolio with designated owners and escalation procedures. Blue teams also establish relationships with registrars for rapid incident response, configure SIEM rules to detect WHOIS enumeration patterns from threat intelligence feeds, and conduct regular purple team exercises that simulate domain-based attack scenarios to validate defensive controls. Continuous monitoring of certificate transparency logs, passive DNS repositories, and new domain registration feeds provides early warning of adversary reconnaissance activities targeting the organization.

DMARC Analyzer DomainTools Monitor VirusTotal SecurityTrails crt.sh Monitoring DNSTwist

🔎 Proactive Hunt

Threat Hunter's Playbook

🔍 Hunting Domain Property Reconnaissance Activity

Threat hunters can detect domain property enumeration by monitoring for patterns consistent with automated WHOIS queries, bulk DNS lookups, and certificate transparency log harvesting that target their organization's domain portfolio. Unlike network intrusions, WHOIS reconnaissance primarily occurs against external databases, making detection reliant on third-party intelligence, log analysis from authoritative DNS servers, and behavioral indicators rather than traditional endpoint or network telemetry. Hunters should establish baselines for normal WHOIS query volumes and alert on significant deviations that may indicate adversary reconnaissance campaigns actively targeting the organization.

Detection Queries & Hunt Hypotheses

Hunt Hypothesis	Data Source	Indicator Pattern
Adversary bulk-querying our domain WHOIS data	Registrar query logs / RDAP logs	>5 WHOIS queries from single IP within 1 hour for our domains
Lookalike domains registered targeting our brand	Brand monitoring service / WHOIS alerts	New domains containing company name + security/login/portal keywords
Passive DNS harvesting of our subdomain infrastructure	Passive DNS aggregation services	Unusual query volume from research/VPN IP ranges for our DNS zones
Certificate Transparency log scraping for our domains	crt.sh / CT log monitors	Automated polling patterns for certificates issued to our domain names
Domain expiry window surveillance	Internal domain management system	WHOIS queries spiking 30-60 days before domain expiry dates
DNS provider reconnaissance via nameserver queries	Authoritative DNS server logs	NS record queries from unexpected ASNs followed by SOA queries

📈 Hunting Workflow

Begin by establishing a complete inventory of all domains, subdomains, and related digital assets belonging to your organization. Query this inventory against passive DNS databases, certificate transparency logs, and threat intelligence platforms to identify any unauthorized or unexpected entries. Monitor registrar account logs for authentication attempts, configuration changes, or support ticket activity that could indicate adversary interest in your domain portfolio. Cross-reference WHOIS query patterns from your registrar's analytics with known threat actor IP ranges and research VPN exit nodes from threat intelligence feeds. Track new domain registrations containing your company name, executive names, or product names through automated monitoring services and manual periodic searches. When anomalies are detected, enrich the intelligence with additional context from DNS history, web archive snapshots, and SSL certificate analysis to determine whether the activity represents benign research, competitive intelligence gathering, or active adversarial reconnaissance warranting defensive response.

Start Protecting Your Domain Properties Today

Domain property reconnaissance is one of the first steps adversaries take when targeting your organization. The data is public, the tools are free, and the impact of a successful domain hijack can be catastrophic. Audit your WHOIS exposure now, enable privacy protections, lock your domains, and monitor for lookalike registrations before attackers exploit the gaps in your domain management.

MITRE T1590.001 CISA Advisory NIST Guidance Threat Report 2025

Discuss this technique with your team. Review your domain portfolio. Reduce your attack surface.