Detect Domains in Microsoft Sentinel
Adversaries may acquire domains to use during targeting. Domain names are acquired to support phishing campaigns, drive-by compromise delivery, and command and control infrastructure. Adversaries frequently register domains that visually resemble legitimate organizations using typosquatting, homoglyphs, internationalized domain names (IDNs), or different top-level domains. They may also acquire expired domains with pre-existing trust reputation. In cloud environments, adversaries with compromised credentials may use services like AWS Route53 to register domains and create hosted zones pointing to attacker-controlled infrastructure. Detection focuses on three pillars: (1) identifying queries to lookalike domains in DNS telemetry, (2) detecting cloud API calls that register or modify domain infrastructure in compromised environments, and (3) hunting for newly registered domains with structural similarity to organizational assets in network traffic.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.001 Domains
- Canonical reference
- https://attack.mitre.org/techniques/T1583/001/
KQL Detection Query
// T1583.001 - Domain Acquisition Detection
// Pillar 1: DNS queries to suspicious lookalike or homoglyph domains (requires DNS Analytics connector)
let SuspiciousKeywords = dynamic([
"-login-", "-signin-", "-secure-", "-verify-", "-account-", "-update-", "-portal-",
"paypa1", "paypai", "micros0ft", "rnicros0ft", "g00gle", "g0ogle", "arnazon",
"faceb00k", "linkedln", "0utlook", "suppport", "accoount", "verifyy"
]);
let SuspiciousTLDs = dynamic(["xyz", "top", "club", "online", "site", "tech", "live", "ws", "cc", "pw"]);
DnsEvents
| where TimeGenerated > ago(24h)
| where ResultCode == 0
| where Name has_any (SuspiciousKeywords)
or Name matches regex @"[\u0400-\u04FF]" // Cyrillic homoglyphs
or Name matches regex @"[\u0370-\u03FF]" // Greek homoglyphs
or Name matches regex @"[\u4E00-\u9FFF]" // CJK characters in domain
or extract(@"\.([a-z]{2,8})$", 1, Name) in (SuspiciousTLDs)
| extend DomainAge = "unknown" // enrich via TI feed if available
| extend MatchedKeyword = tostring(set_intersect(dynamic([]), SuspiciousKeywords))
| project TimeGenerated, Computer, ClientIP, QueryName=Name, ResolvedIPs=IPAddresses, QueryType
| sort by TimeGenerated desc
| union (
// Pillar 2: Cloud domain registration - detect Route53 / Azure DNS zone creation (potential compromised cloud account)
AzureActivity
| where TimeGenerated > ago(24h)
| where OperationNameValue in~ (
"MICROSOFT.NETWORK/DNSZONES/WRITE",
"MICROSOFT.NETWORK/DNSZONES/A/WRITE",
"MICROSOFT.NETWORK/DNSZONES/CNAME/WRITE"
)
or (OperationNameValue contains "DNS" and ActivityStatusValue =~ "Succeeded")
| extend CallerIdentity = Caller
| extend ResourceName = tostring(split(ResourceId, "/")[-1])
| project TimeGenerated, CallerIdentity, OperationNameValue, ResourceName, ActivityStatusValue, ResourceGroup, SubscriptionId
| extend Computer="AzureActivity", ClientIP=CallerIdentity, QueryName=ResourceName, ResolvedIPs="", QueryType=OperationNameValue
)
| sort by TimeGenerated descTwo-pillar detection for domain acquisition activity. Pillar 1 uses the Azure Sentinel DNS Analytics connector (DnsEvents table) to detect endpoint DNS queries to lookalike, typosquatted, or homoglyph domains using pattern matching and Unicode character class detection for Cyrillic/Greek/CJK homoglyphs. Pillar 2 uses AzureActivity to detect DNS zone creation or modification in Azure — a key indicator of adversary infrastructure setup in a compromised cloud environment. Requires DNS Analytics connector for full Pillar 1 coverage; Pillar 2 operates on Azure platform logs without additional connectors.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate third-party SaaS products that use hyphenated domain naming conventions (e.g., acme-login.vendor.com patterns)
- Security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness) that register lookalike domains for training campaigns
- Development and QA environments that create DNS zones in Azure for staging domains that mirror production naming
- CDN and cloud provider subdomains that contain keywords like 'secure' or 'login' as part of legitimate infrastructure (e.g., secure.cdn-provider.com)
- VPN and zero-trust vendors (Zscaler, Netskope, Cloudflare) whose traffic may resolve through domains containing security-related keywords
Other platforms for T1583.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS Query to Typosquatted Domain (Sysmon Event ID 22 Validation)
Expected signal: Sysmon Event ID 22: DNS Query event with QueryName='paypa1-secure-login.com', Image='C:\Windows\System32\nslookup.exe'. DNS client log Event ID 3008 (Microsoft-Windows-DNS-Client/Operational) may also fire. The query will likely NXDOMAIN but the DNS attempt is logged regardless.
- Test 2AWS Route53 Hosted Zone Creation (Simulated Adversary Infrastructure Setup)
Expected signal: AWS CloudTrail event: eventName=CreateHostedZone, eventSource=route53.amazonaws.com, requestParameters.name=<zone-name>, userIdentity containing the IAM ARN of the caller, sourceIPAddress of the machine running the AWS CLI command. CloudTrail ingestion to Splunk (aws:cloudtrail) or Sentinel will surface within 5-15 minutes.
- Test 3PowerShell DNS Resolution of Homoglyph-Pattern Domain (Sysmon Validation)
Expected signal: Sysmon Event ID 22: QueryName='secure-login-verify.xyz', Image='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', ProcessId and User populated. Sysmon Event ID 1 for the PowerShell process launch. DNS Client Event Log may also record the failed resolution.
- Test 4Azure DNS Zone Creation (Simulated Infrastructure Setup in Compromised Azure Account)
Expected signal: Azure Activity Log: OperationName=Microsoft.Network/dnsZones/write, Status=Succeeded, Caller=<UPN or service principal>, ResourceId containing the zone name, with clientIpAddress populated. Appears in Azure Monitor Activity Log within 2-5 minutes and propagates to Log Analytics (AzureActivity table) within 5-10 minutes.
References (15)
- https://attack.mitre.org/techniques/T1583/001/
- https://attack.mitre.org/tactics/TA0042/
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://us-cert.cisa.gov/ncas/tips/ST05-016
- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/
- https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/
- https://us-cert.cisa.gov/ncas/alerts/aa20-258a
- https://docs.microsoft.com/en-us/azure/sentinel/connect-dns
- https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-using-cloudtrail.html
- https://github.com/elceef/dnstwist
- https://www.apwg.org/resources/apwg-reports/
- https://www.mandiant.com/resources/blog/highly-evasive-attacker-leverages-solarwinds-supply-chain
Unlock Pro Content
Get the full detection package for T1583.001 including response playbook, investigation guide, and atomic red team tests.