Detect Domains in CrowdStrike LogScale
Adversaries may acquire domains to use during targeting. Domain names are acquired to support phishing campaigns, drive-by compromise delivery, and command and control infrastructure. Adversaries frequently register domains that visually resemble legitimate organizations using typosquatting, homoglyphs, internationalized domain names (IDNs), or different top-level domains. They may also acquire expired domains with pre-existing trust reputation. In cloud environments, adversaries with compromised credentials may use services like AWS Route53 to register domains and create hosted zones pointing to attacker-controlled infrastructure. Detection focuses on three pillars: (1) identifying queries to lookalike domains in DNS telemetry, (2) detecting cloud API calls that register or modify domain infrastructure in compromised environments, and (3) hunting for newly registered domains with structural similarity to organizational assets in network traffic.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.001 Domains
- Canonical reference
- https://attack.mitre.org/techniques/T1583/001/
LogScale Detection Query
#event_simpleName = "NetworkConnectIP4"
| RemotePort in (443, 8443, 4443, 8080, 53)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ParentBaseFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|nslookup|python)/
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort], function=[count(as=ConnCount), min(timestamp, as=FirstSeen)])
| case {
ConnCount >= 10 AND RemotePort = 53 => RiskScore := "High";
ConnCount >= 5 => RiskScore := "Medium";
* => RiskScore := "Low";
}
| where RiskScore in ("High", "Medium")
| table([ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort, ConnCount, RiskScore, FirstSeen])
| sort(RiskScore)CrowdStrike LogScale (Falcon) CQL detection for Domains. Two-pillar detection for domain acquisition activity. Pillar 1 uses the Azure Sentinel DNS Analytics connector (DnsEvents table) to detect endpoint DNS queries to lookalike, typosquatted, or homoglyph
Data Sources
Required Tables
False Positives & Tuning
- Security teams registering defensive domains to protect brand from typosquatting
- Marketing and product teams registering new campaign or product domains
- IT operations creating subdomains for new environments or applications
- Certificate management automation making DNS changes for domain validation
Other platforms for T1583.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS Query to Typosquatted Domain (Sysmon Event ID 22 Validation)
Expected signal: Sysmon Event ID 22: DNS Query event with QueryName='paypa1-secure-login.com', Image='C:\Windows\System32\nslookup.exe'. DNS client log Event ID 3008 (Microsoft-Windows-DNS-Client/Operational) may also fire. The query will likely NXDOMAIN but the DNS attempt is logged regardless.
- Test 2AWS Route53 Hosted Zone Creation (Simulated Adversary Infrastructure Setup)
Expected signal: AWS CloudTrail event: eventName=CreateHostedZone, eventSource=route53.amazonaws.com, requestParameters.name=<zone-name>, userIdentity containing the IAM ARN of the caller, sourceIPAddress of the machine running the AWS CLI command. CloudTrail ingestion to Splunk (aws:cloudtrail) or Sentinel will surface within 5-15 minutes.
- Test 3PowerShell DNS Resolution of Homoglyph-Pattern Domain (Sysmon Validation)
Expected signal: Sysmon Event ID 22: QueryName='secure-login-verify.xyz', Image='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', ProcessId and User populated. Sysmon Event ID 1 for the PowerShell process launch. DNS Client Event Log may also record the failed resolution.
- Test 4Azure DNS Zone Creation (Simulated Infrastructure Setup in Compromised Azure Account)
Expected signal: Azure Activity Log: OperationName=Microsoft.Network/dnsZones/write, Status=Succeeded, Caller=<UPN or service principal>, ResourceId containing the zone name, with clientIpAddress populated. Appears in Azure Monitor Activity Log within 2-5 minutes and propagates to Log Analytics (AzureActivity table) within 5-10 minutes.
References (15)
- https://attack.mitre.org/techniques/T1583/001/
- https://attack.mitre.org/tactics/TA0042/
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://us-cert.cisa.gov/ncas/tips/ST05-016
- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/
- https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/
- https://us-cert.cisa.gov/ncas/alerts/aa20-258a
- https://docs.microsoft.com/en-us/azure/sentinel/connect-dns
- https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-using-cloudtrail.html
- https://github.com/elceef/dnstwist
- https://www.apwg.org/resources/apwg-reports/
- https://www.mandiant.com/resources/blog/highly-evasive-attacker-leverages-solarwinds-supply-chain
Unlock Pro Content
Get the full detection package for T1583.001 including response playbook, investigation guide, and atomic red team tests.