Skip to main content

AWS Route 53 public hosted zone created unexpectedly

ID:aws_route53_public_zone_created_anomaly
Data type:AWS CloudTrail
Severity:
Informational
-
Low
MITRE ATT&CK:TA0042:T1584.001

Description

AlphaSOC detected the creation of a public hosted zone in AWS Route 53. This action allows the registration and management of public DNS records for a domain. While often legitimate, threat actors can exploit this to set up infrastructure for malicious activities such as phishing or data exfiltration. Route 53 public hosted zones created by AWS services are exempt from the detection to avoid false positives.

Impact

If misused, it enables adversaries to create seemingly legitimate subdomains that can lead to data breaches or serve as a launching pad for further attacks within the organization's infrastructure.

Severity

SeverityCondition
Informational
Route 53 public hosted zone created
Low
Unexpected ASN, user agent or region

Investigation and Remediation

Investigate the creation of the public hosted zone by reviewing AWS CloudTrail logs to identify the user or role responsible. Verify if this action was legitimate. If unauthorized, immediately remove the hosted zone and associated DNS records. Review Identity and Access Management (IAM) permissions to ensure only authorized personnel can create public hosted zones. Investigate any suspicious DNS records or subdomains created within the zone.