Detect Domains in Splunk
Adversaries may acquire domains to use during targeting. Domain names are acquired to support phishing campaigns, drive-by compromise delivery, and command and control infrastructure. Adversaries frequently register domains that visually resemble legitimate organizations using typosquatting, homoglyphs, internationalized domain names (IDNs), or different top-level domains. They may also acquire expired domains with pre-existing trust reputation. In cloud environments, adversaries with compromised credentials may use services like AWS Route53 to register domains and create hosted zones pointing to attacker-controlled infrastructure. Detection focuses on three pillars: (1) identifying queries to lookalike domains in DNS telemetry, (2) detecting cloud API calls that register or modify domain infrastructure in compromised environments, and (3) hunting for newly registered domains with structural similarity to organizational assets in network traffic.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.001 Domains
- Canonical reference
- https://attack.mitre.org/techniques/T1583/001/
SPL Detection Query
| union
[
search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval QueryName=lower(QueryName)
| eval IsSuspiciousKeyword=if(
match(QueryName, "(-login-|-signin-|-secure-|-verify-|-account-|-update-|-portal-|paypa[1i]|micros[o0]ft|g[o0]{2}gle|arnazon|faceb[o0]{2}k|linkedln|[o0]utlook|suppport|accoount)"),
1, 0)
| eval IsHomoglyph=if(match(QueryName, "[\\x{0400}-\\x{04FF}\\x{0370}-\\x{03FF}]"), 1, 0)
| eval IsSuspiciousTLD=if(match(QueryName, "\\.(xyz|top|club|online|site|tech|live|ws|cc|pw|tk|ml|ga|cf)$"), 1, 0)
| eval SuspicionScore=IsSuspiciousKeyword + IsHomoglyph + IsSuspiciousTLD
| where SuspicionScore > 0
| eval EventSource="DNS_Query"
| table _time, host, User, QueryName, QueryResults, IsSuspiciousKeyword, IsHomoglyph, IsSuspiciousTLD, SuspicionScore, EventSource
]
[
search index=aws sourcetype="aws:cloudtrail"
(eventName="CreateHostedZone" OR eventName="RegisterDomain" OR eventName="CreateDomain"
OR eventName="ChangeResourceRecordSets" OR eventName="AssociateVPCWithHostedZone")
| eval QueryName=coalesce(json_extract(requestParameters, "$.name"), json_extract(requestParameters, "$.domainName"), "unknown")
| eval CallerIdentity=coalesce(userIdentity.arn, userIdentity.userName, "unknown")
| eval IsSuspiciousKeyword=if(match(lower(QueryName), "(-login-|-signin-|-secure-|-verify-)"), 1, 0)
| eval SuspicionScore=IsSuspiciousKeyword
| eval EventSource="AWS_Route53"
| table _time, src_ip, CallerIdentity, eventName, QueryName, awsRegion, IsSuspiciousKeyword, SuspicionScore, EventSource
]
| sort - _time
| rename _time as EventTimeTwo-source detection for domain acquisition activity. Searches Sysmon Event ID 22 (DNS Query events) for endpoint DNS resolution requests matching typosquatting patterns, homoglyph characters, or suspicious TLDs, assigning a cumulative suspicion score. Also searches AWS CloudTrail for Route53 domain registration and hosted zone creation API calls (RegisterDomain, CreateHostedZone, ChangeResourceRecordSets) that may indicate adversary infrastructure setup in a compromised AWS account. Requires Sysmon deployed with DNS query logging (Event ID 22 enabled) and AWS CloudTrail ingestion into Splunk.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate SaaS vendor domains using hyphenated patterns that match keyword filters (e.g., vendor-login.service.com, secure-payments.partner.com)
- Security phishing simulation platforms registering test lookalike domains for awareness training exercises
- Cloud infrastructure teams creating legitimately named DNS zones in AWS Route53 for staging/DR environments
- Internationalized domain names used by employees visiting legitimate non-English websites with Cyrillic or Greek characters
- DevOps automation using CloudFormation or Terraform to provision Route53 zones that triggers the API call pattern
Other platforms for T1583.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1DNS Query to Typosquatted Domain (Sysmon Event ID 22 Validation)
Expected signal: Sysmon Event ID 22: DNS Query event with QueryName='paypa1-secure-login.com', Image='C:\Windows\System32\nslookup.exe'. DNS client log Event ID 3008 (Microsoft-Windows-DNS-Client/Operational) may also fire. The query will likely NXDOMAIN but the DNS attempt is logged regardless.
- Test 2AWS Route53 Hosted Zone Creation (Simulated Adversary Infrastructure Setup)
Expected signal: AWS CloudTrail event: eventName=CreateHostedZone, eventSource=route53.amazonaws.com, requestParameters.name=<zone-name>, userIdentity containing the IAM ARN of the caller, sourceIPAddress of the machine running the AWS CLI command. CloudTrail ingestion to Splunk (aws:cloudtrail) or Sentinel will surface within 5-15 minutes.
- Test 3PowerShell DNS Resolution of Homoglyph-Pattern Domain (Sysmon Validation)
Expected signal: Sysmon Event ID 22: QueryName='secure-login-verify.xyz', Image='C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe', ProcessId and User populated. Sysmon Event ID 1 for the PowerShell process launch. DNS Client Event Log may also record the failed resolution.
- Test 4Azure DNS Zone Creation (Simulated Infrastructure Setup in Compromised Azure Account)
Expected signal: Azure Activity Log: OperationName=Microsoft.Network/dnsZones/write, Status=Succeeded, Caller=<UPN or service principal>, ResourceId containing the zone name, with clientIpAddress populated. Appears in Azure Monitor Activity Log within 2-5 minutes and propagates to Log Analytics (AzureActivity table) within 5-10 minutes.
References (15)
- https://attack.mitre.org/techniques/T1583/001/
- https://attack.mitre.org/tactics/TA0042/
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
- https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
- https://us-cert.cisa.gov/ncas/tips/ST05-016
- https://www.invictus-ir.com/news/the-curious-case-of-dangerdev-protonmail-me
- https://krebsonsecurity.com/2018/11/that-domain-you-forgot-to-renew-yeah-its-now-stealing-credit-cards/
- https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/
- https://us-cert.cisa.gov/ncas/alerts/aa20-258a
- https://docs.microsoft.com/en-us/azure/sentinel/connect-dns
- https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-using-cloudtrail.html
- https://github.com/elceef/dnstwist
- https://www.apwg.org/resources/apwg-reports/
- https://www.mandiant.com/resources/blog/highly-evasive-attacker-leverages-solarwinds-supply-chain
Unlock Pro Content
Get the full detection package for T1583.001 including response playbook, investigation guide, and atomic red team tests.