T1583.001 Domains Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1583.001 - Domain Acquisition Detection
// Pillar 1: DNS queries to suspicious lookalike or homoglyph domains (requires DNS Analytics connector)
let SuspiciousKeywords = dynamic([
  "-login-", "-signin-", "-secure-", "-verify-", "-account-", "-update-", "-portal-",
  "paypa1", "paypai", "micros0ft", "rnicros0ft", "g00gle", "g0ogle", "arnazon",
  "faceb00k", "linkedln", "0utlook", "suppport", "accoount", "verifyy"
]);
let SuspiciousTLDs = dynamic(["xyz", "top", "club", "online", "site", "tech", "live", "ws", "cc", "pw"]);
DnsEvents
| where TimeGenerated > ago(24h)
| where ResultCode == 0
| where Name has_any (SuspiciousKeywords)
    or Name matches regex @"[\u0400-\u04FF]"  // Cyrillic homoglyphs
    or Name matches regex @"[\u0370-\u03FF]"  // Greek homoglyphs
    or Name matches regex @"[\u4E00-\u9FFF]"  // CJK characters in domain
    or extract(@"\.([a-z]{2,8})$", 1, Name) in (SuspiciousTLDs)
| extend DomainAge = "unknown"  // enrich via TI feed if available
| extend MatchedKeyword = tostring(set_intersect(dynamic([]), SuspiciousKeywords))
| project TimeGenerated, Computer, ClientIP, QueryName=Name, ResolvedIPs=IPAddresses, QueryType
| sort by TimeGenerated desc
| union (
    // Pillar 2: Cloud domain registration - detect Route53 / Azure DNS zone creation (potential compromised cloud account)
    AzureActivity
    | where TimeGenerated > ago(24h)
    | where OperationNameValue in~ (
        "MICROSOFT.NETWORK/DNSZONES/WRITE",
        "MICROSOFT.NETWORK/DNSZONES/A/WRITE",
        "MICROSOFT.NETWORK/DNSZONES/CNAME/WRITE"
      )
      or (OperationNameValue contains "DNS" and ActivityStatusValue =~ "Succeeded")
    | extend CallerIdentity = Caller
    | extend ResourceName = tostring(split(ResourceId, "/")[-1])
    | project TimeGenerated, CallerIdentity, OperationNameValue, ResourceName, ActivityStatusValue, ResourceGroup, SubscriptionId
    | extend Computer="AzureActivity", ClientIP=CallerIdentity, QueryName=ResourceName, ResolvedIPs="", QueryType=OperationNameValue
)
| sort by TimeGenerated desc

medium severity medium confidence

Data Sources

Network Traffic: DNS Resolution Cloud Service: Cloud Service Modification Azure Activity Logs DNS Analytics connector

Required Tables

DnsEvents AzureActivity

False Positives

Legitimate third-party SaaS products that use hyphenated domain naming conventions (e.g., acme-login.vendor.com patterns)
Security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness) that register lookalike domains for training campaigns
Development and QA environments that create DNS zones in Azure for staging domains that mirror production naming
CDN and cloud provider subdomains that contain keywords like 'secure' or 'login' as part of legitimate infrastructure (e.g., secure.cdn-provider.com)
VPN and zero-trust vendors (Zscaler, Netskope, Cloudflare) whose traffic may resolve through domains containing security-related keywords

Splunk

spl

| union
[
  search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval QueryName=lower(QueryName)
  | eval IsSuspiciousKeyword=if(
      match(QueryName, "(-login-|-signin-|-secure-|-verify-|-account-|-update-|-portal-|paypa[1i]|micros[o0]ft|g[o0]{2}gle|arnazon|faceb[o0]{2}k|linkedln|[o0]utlook|suppport|accoount)"),
      1, 0)
  | eval IsHomoglyph=if(match(QueryName, "[\\x{0400}-\\x{04FF}\\x{0370}-\\x{03FF}]"), 1, 0)
  | eval IsSuspiciousTLD=if(match(QueryName, "\\.(xyz|top|club|online|site|tech|live|ws|cc|pw|tk|ml|ga|cf)$"), 1, 0)
  | eval SuspicionScore=IsSuspiciousKeyword + IsHomoglyph + IsSuspiciousTLD
  | where SuspicionScore > 0
  | eval EventSource="DNS_Query"
  | table _time, host, User, QueryName, QueryResults, IsSuspiciousKeyword, IsHomoglyph, IsSuspiciousTLD, SuspicionScore, EventSource
]
[
  search index=aws sourcetype="aws:cloudtrail"
    (eventName="CreateHostedZone" OR eventName="RegisterDomain" OR eventName="CreateDomain"
     OR eventName="ChangeResourceRecordSets" OR eventName="AssociateVPCWithHostedZone")
  | eval QueryName=coalesce(json_extract(requestParameters, "$.name"), json_extract(requestParameters, "$.domainName"), "unknown")
  | eval CallerIdentity=coalesce(userIdentity.arn, userIdentity.userName, "unknown")
  | eval IsSuspiciousKeyword=if(match(lower(QueryName), "(-login-|-signin-|-secure-|-verify-)"), 1, 0)
  | eval SuspicionScore=IsSuspiciousKeyword
  | eval EventSource="AWS_Route53"
  | table _time, src_ip, CallerIdentity, eventName, QueryName, awsRegion, IsSuspiciousKeyword, SuspicionScore, EventSource
]
| sort - _time
| rename _time as EventTime

medium severity medium confidence

Data Sources

Network Traffic: DNS Resolution Cloud Service: Cloud Service Modification Sysmon Event ID 22 AWS CloudTrail

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational aws:cloudtrail

False Positives

Legitimate SaaS vendor domains using hyphenated patterns that match keyword filters (e.g., vendor-login.service.com, secure-payments.partner.com)
Security phishing simulation platforms registering test lookalike domains for awareness training exercises
Cloud infrastructure teams creating legitimately named DNS zones in AWS Route53 for staging/DR environments
Internationalized domain names used by employees visiting legitimate non-English websites with Cyrillic or Greek characters
DevOps automation using CloudFormation or Terraform to provision Route53 zones that triggers the API call pattern

Elastic Security (EQL)

eql

network where event.type == "connection_attempted"
  and network.direction == "outbound"
  and destination.port in (80, 443, 8080, 8443)
  and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")
  and process.name : ("nslookup.exe", "powershell.exe", "cmd.exe", "python.exe", "python3")

medium severity medium confidence

Data Sources

Elastic Endpoint Security Network events DNS events

Required Tables

logs-endpoint.events.network.* logs-dns.*

False Positives

Legitimate domain registrations for new company products or marketing campaigns
Security researchers registering typosquat domains defensively
IT teams setting up test or staging environments with new domains
Automated certificate renewal processes triggering DNS changes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip, destinationip, destinationport,
  "CommandLine", "Image" AS Process,
  "DestinationHostname" AS RemoteHost,
  CASE
    WHEN COUNT(*) OVER (PARTITION BY sourceip, destinationip) >= 5 THEN 80
    WHEN destinationport IN (443, 8443, 4443) THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nslookup%' OR "Image" ILIKE '%dig%' THEN 'DNS Reconnaissance'
    WHEN destinationport IN (443, 8443) THEN 'Encrypted C2 Candidate'
    ELSE 'Outbound Connection'
  END AS AlertType
FROM events
WHERE eventid = 3
  AND NOT destinationip INCIDR '10.0.0.0/8'
  AND NOT destinationip INCIDR '172.16.0.0/12'
  AND NOT destinationip INCIDR '192.168.0.0/16'
  AND destinationport IN (53, 80, 443, 8080, 8443, 4443)
  AND "Image" NOT ILIKE '%chrome%'
  AND "Image" NOT ILIKE '%firefox%'
  AND "Image" NOT ILIKE '%msedge%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Sysmon Event ID 3 DNS logs

Required Tables

events

False Positives

Legitimate registrar activity for new company domains
Defensive domain registration programs by security teams
Automated certificate provisioning triggering DNS changes
IT teams setting up staging environments with new subdomains

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*dns*
| json auto
| where EventCode = 3 or _sourceCategory matches "*dns*"
| where !matches(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| eval ProcessName = lower(Image)
| where !matches(ProcessName, "chrome|firefox|msedge|outlook|teams")
| eval IsDNSRecon = if(matches(ProcessName, "nslookup|dig|host|dnsrecon"), "true", "false")
| eval RiskScore = if(IsDNSRecon = "true", 70,
    if(DestinationPort in ("443","8443","4443"), 60, 40))
| where RiskScore >= 60
| stats count AS ConnCount, values(DestinationIp) AS DestIPs, values(ProcessName) AS Processes by _sourceHost, User, DestinationPort
| sort by ConnCount desc

medium severity medium confidence

Data Sources

Sysmon DNS logs

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*dns*

False Positives

New domain registrations for legitimate marketing or product campaigns
Defensive domain registration by security teams to prevent squatting
IT teams registering subdomains for staging or development environments
Certificate automation causing DNS record changes

Google Chronicle / SecOps

yaral

rule T1583_001_c2_infrastructure {
  meta:
    author = "Detection Engineering"
    description = "Detects potential C2 infrastructure activity and reconnaissance"
    severity = "medium"
    confidence = "medium"
    mitre_attack = "T1583.001"
    reference = "https://attack.mitre.org/techniques/T1583/001/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (443, 8443, 4443, 8080, 53)
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    re.regex($e.principal.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|nslookup|dig)`)

  condition:
    $e
}

medium severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

NETWORK_CONNECTION DNS

False Positives

Security teams registering typosquat domains defensively to protect brand
Marketing teams registering new domains for campaigns or product launches
IT teams creating subdomains for new projects or staging environments
Certificate lifecycle automation triggering DNS record modifications

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort in (443, 8443, 4443, 8080, 53)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ParentBaseFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|nslookup|python)/
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort], function=[count(as=ConnCount), min(timestamp, as=FirstSeen)])
| case {
    ConnCount >= 10 AND RemotePort = 53 => RiskScore := "High";
    ConnCount >= 5 => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort, ConnCount, RiskScore, FirstSeen])
| sort(RiskScore)

medium severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Network events DNS events

Required Tables

NetworkConnectIP4

False Positives

Security teams registering defensive domains to protect brand from typosquatting
Marketing and product teams registering new campaign or product domains
IT operations creating subdomains for new environments or applications
Certificate management automation making DNS changes for domain validation

Domains

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections