T1583.002 DNS Server Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Multi-signal detection for adversary-controlled DNS server usage
// CUSTOMIZE: Replace with your organization's authoritative internal DNS server IPs
let AuthorizedDNSServers = dynamic(["10.0.0.1", "10.0.0.2"]);
// Known legitimate public DNS resolvers — extend as needed for your environment
let KnownPublicDNS = dynamic(["8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1", "9.9.9.9", "149.112.112.112", "208.67.222.222", "208.67.220.220", "64.6.64.6", "64.6.65.6", "185.228.168.9", "185.228.169.9"]);
// Signal 1: Endpoints making DNS queries to non-authorized external resolvers
// This indicates malware hardcoded to use adversary-controlled DNS infrastructure
let UnauthorizedResolvers =
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 53
| where not(RemoteIP has_any (AuthorizedDNSServers))
| where not(RemoteIP has_any (KnownPublicDNS))
| where not(
    RemoteIP startswith "10."
    or RemoteIP startswith "192.168."
    or RemoteIP startswith "127."
    or (RemoteIP startswith "172." and toint(split(RemoteIP, ".")[1]) between (16..31))
)
| extend DetectionType = "Unauthorized_External_DNS_Resolver"
| project Timestamp, DeviceName, AccountName, LocalIP, RemoteIP, RemotePort,
         InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Signal 2: High-volume DNS query rate from a single process — DNS tunneling indicator
let HighVolumeDNS =
DeviceNetworkEvents
| where Timestamp > ago(1h)
| where RemotePort == 53
| summarize QueryCount = count(), UniqueServers = dcount(RemoteIP)
    by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m)
| where QueryCount > 200
| extend DetectionType = "High_Volume_DNS_Tunneling_Indicator"
| project Timestamp, DeviceName, InitiatingProcessFileName, QueryCount, UniqueServers, DetectionType;
// Signal 3: Registry changes pointing DNS resolver at unauthorized external server
let DNSConfigChange =
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has "Tcpip\\Parameters"
| where RegistryValueName in ("NameServer", "DhcpNameServer", "StaticDnsAddress")
| where not(RegistryValueData has_any (AuthorizedDNSServers))
| where not(
    RegistryValueData startswith "10."
    or RegistryValueData startswith "192.168."
    or RegistryValueData == ""
    or RegistryValueData has_any (KnownPublicDNS)
)
| extend DetectionType = "DNS_Server_Configuration_Modified"
| project Timestamp, DeviceName, AccountName, RegistryKey, RegistryValueName,
         RegistryValueData, InitiatingProcessFileName, DetectionType;
union UnauthorizedResolvers, HighVolumeDNS, DNSConfigChange
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceRegistryEvents

False Positives

VPN split-tunneling configurations where DNS queries are sent to remote-office DNS servers not yet in the authorized list — validate by correlating with VPN connection events
Developer workstations running local DNS resolvers (dnsmasq, CoreDNS) for container or Kubernetes development — exclude by adding 127.0.0.53 and common container bridge IPs
Endpoints connecting to guest Wi-Fi or non-corporate hotspots where DHCP assigns a third-party DNS server — correlate with network adapter SSID or location data
Security tools and vulnerability scanners performing DNS resolution against external resolvers for testing or enumeration purposes — allowlist by initiating process name and account
Cloud-managed endpoints (MDM, Intune) that may temporarily receive DNS from cloud provider DHCP — add cloud provider DNS IPs (168.63.129.16 for Azure) to the authorized list

Splunk

spl

// Detect DNS tunneling and adversary-controlled DNS server usage via Sysmon DNS query logs
// Requires Sysmon with DNS query logging enabled (Event ID 22)
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval QueryName=lower(QueryName)
| eval QueryLen=len(QueryName)
| eval DotCount=len(QueryName) - len(replace(QueryName, "\.", ""))
| eval SegmentCount=DotCount + 1
// Extract the leftmost subdomain label — longest labels indicate encoded data
| rex field=QueryName "^(?P<FirstLabel>[^\.]+)"
| eval FirstLabelLen=len(FirstLabel)
// Scoring: multiple indicators improve signal quality
| eval LongTotalQuery=if(QueryLen > 60, 1, 0)
| eval LongSubdomainLabel=if(FirstLabelLen > 30, 1, 0)
| eval DeepSubdomain=if(SegmentCount > 7, 1, 0)
// Flag queries from processes that should not be making direct DNS calls
| eval SuspiciousProcess=if(
    match(Image, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe)"),
    1, 0)
| eval SuspicionScore=LongTotalQuery + LongSubdomainLabel + DeepSubdomain + SuspiciousProcess
| where SuspicionScore >= 2
| table _time, host, User, Image, QueryName, QueryLen, FirstLabel, FirstLabelLen, SegmentCount, LongTotalQuery, LongSubdomainLabel, DeepSubdomain, SuspiciousProcess, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: OS API Execution Sysmon Event ID 22 (DNS Query)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

CDN providers and cloud services with long auto-generated subdomain names (AWS S3 bucket endpoint URLs, Azure blob storage hostnames, Akamai edge node identifiers) — add domain suffixes to an exclusion list
Internal PKI and certificate revocation Distribution Points (CDP) that contain long encoded SHA-1 hashes in OCSP responder subdomains
Legitimate SaaS platforms with deep multi-tenant subdomain hierarchies (e.g., tenant.region.service.provider.com) — baseline expected depth for your SaaS stack
Certificate transparency log scraping and DKIM/DMARC verification tools that generate TXT queries with long lookup subdomains

Elastic Security (EQL)

eql

network where event.type == "connection_attempted"
  and network.direction == "outbound"
  and destination.port in (80, 443, 8080, 8443)
  and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")
  and process.name : ("nslookup.exe", "powershell.exe", "cmd.exe", "python.exe", "python3")

high severity medium confidence

Data Sources

Elastic Endpoint Security Network events DNS events

Required Tables

logs-endpoint.events.network.* logs-dns.*

False Positives

Legitimate domain registrations for new company products or marketing campaigns
Security researchers registering typosquat domains defensively
IT teams setting up test or staging environments with new domains
Automated certificate renewal processes triggering DNS changes

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip, destinationip, destinationport,
  "CommandLine", "Image" AS Process,
  "DestinationHostname" AS RemoteHost,
  CASE
    WHEN COUNT(*) OVER (PARTITION BY sourceip, destinationip) >= 5 THEN 80
    WHEN destinationport IN (443, 8443, 4443) THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nslookup%' OR "Image" ILIKE '%dig%' THEN 'DNS Reconnaissance'
    WHEN destinationport IN (443, 8443) THEN 'Encrypted C2 Candidate'
    ELSE 'Outbound Connection'
  END AS AlertType
FROM events
WHERE eventid = 3
  AND NOT destinationip INCIDR '10.0.0.0/8'
  AND NOT destinationip INCIDR '172.16.0.0/12'
  AND NOT destinationip INCIDR '192.168.0.0/16'
  AND destinationport IN (53, 80, 443, 8080, 8443, 4443)
  AND "Image" NOT ILIKE '%chrome%'
  AND "Image" NOT ILIKE '%firefox%'
  AND "Image" NOT ILIKE '%msedge%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 3 DNS logs

Required Tables

events

False Positives

Legitimate registrar activity for new company domains
Defensive domain registration programs by security teams
Automated certificate provisioning triggering DNS changes
IT teams setting up staging environments with new subdomains

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*dns*
| json auto
| where EventCode = 3 or _sourceCategory matches "*dns*"
| where !matches(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| eval ProcessName = lower(Image)
| where !matches(ProcessName, "chrome|firefox|msedge|outlook|teams")
| eval IsDNSRecon = if(matches(ProcessName, "nslookup|dig|host|dnsrecon"), "true", "false")
| eval RiskScore = if(IsDNSRecon = "true", 70,
    if(DestinationPort in ("443","8443","4443"), 60, 40))
| where RiskScore >= 60
| stats count AS ConnCount, values(DestinationIp) AS DestIPs, values(ProcessName) AS Processes by _sourceHost, User, DestinationPort
| sort by ConnCount desc

high severity medium confidence

Data Sources

Sysmon DNS logs

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*dns*

False Positives

New domain registrations for legitimate marketing or product campaigns
Defensive domain registration by security teams to prevent squatting
IT teams registering subdomains for staging or development environments
Certificate automation causing DNS record changes

Google Chronicle / SecOps

yaral

rule T1583_002_c2_infrastructure {
  meta:
    author = "Detection Engineering"
    description = "Detects potential C2 infrastructure activity and reconnaissance"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1583.002"
    reference = "https://attack.mitre.org/techniques/T1583/002/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (443, 8443, 4443, 8080, 53)
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    re.regex($e.principal.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|nslookup|dig)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

NETWORK_CONNECTION DNS

False Positives

Security teams registering typosquat domains defensively to protect brand
Marketing teams registering new domains for campaigns or product launches
IT teams creating subdomains for new projects or staging environments
Certificate lifecycle automation triggering DNS record modifications

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort in (443, 8443, 4443, 8080, 53)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ParentBaseFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|nslookup|python)/
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort], function=[count(as=ConnCount), min(timestamp, as=FirstSeen)])
| case {
    ConnCount >= 10 AND RemotePort = 53 => RiskScore := "High";
    ConnCount >= 5 => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort, ConnCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Network events DNS events

Required Tables

NetworkConnectIP4

False Positives

Security teams registering defensive domains to protect brand from typosquatting
Marketing and product teams registering new campaign or product domains
IT operations creating subdomains for new environments or applications
Certificate management automation making DNS changes for domain validation

DNS Server

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections