Subdomain Fuzzing

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

20 Minutes

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Palo Alto Networks Platform Logs
      OR
    • XDR Agent

Detection Modules

Detector Tags

ATT&CK Tactic

Reconnaissance (TA0043)

ATT&CK Technique

Active Scanning: Wordlist Scanning (T1595.003)

Severity

Low

Description

The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.
This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.

Attacker's Goals

Scan a known external facing asset to gain knowledge about the organization.

Investigative actions

  • Verify that the domain doesn't host numerous subdomains.
  • Verify that the source of the scan is not a known external scanner.

Variations

Subdomain Fuzzing To a Rare Destination

Synopsis

ATT&CK Tactic

Reconnaissance (TA0043)

ATT&CK Technique

Active Scanning: Wordlist Scanning (T1595.003)

Severity

Medium

Description

The root domain within the network is experiencing an unusually high number of access requests to its subdomains, significantly exceeding the typical activity levels for that domain.
This anomaly could suggest that someone is attempting to enumerate subdomains or uncover additional virtual hosts associated with the domain, possibly as part of a reconnaissance effort to identify vulnerable or less-secured entry points into the network.

Attacker's Goals

Scan a known external facing asset to gain knowledge about the organization.

Investigative actions

  • Verify that the domain doesn't host numerous subdomains.
  • Verify that the source of the scan is not a known external scanner.