T1584.001 Compromise Infrastructure: Domains Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detection 1: Azure DNS Zone Record Modifications (potential domain shadowing or hijack setup)
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("MICROSOFT.NETWORK/DNSZONES/", "Write DNS", "Delete DNS")
| where Result == "success"
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend ModifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend ClientIP = tostring(InitiatedBy.user.ipAddress)
| extend RecordType = tostring(TargetResources[0].type)
| project TimeGenerated, OperationName, TargetResource, ModifiedBy, ClientIP, RecordType, Result, CorrelationId
| sort by TimeGenerated desc

// Detection 2: Suspicious DNS resolution patterns suggesting domain shadowing (new subdomains resolving)
// Run separately against DNS event tables
union isfuzzy=true DnsEvents, ASimDnsActivityLogs
| where TimeGenerated > ago(24h)
| where SubType =~ "LookupQuery" or EventType =~ "Query"
| where Name has_any (".") and strlen(Name) > 20
// Flag queries to subdomains not seen in the prior 30 days
| join kind=leftanti (
    union isfuzzy=true DnsEvents, ASimDnsActivityLogs
    | where TimeGenerated between (ago(31d) .. ago(24h))
    | summarize by Name
) on Name
| summarize QueryCount=count(), Clients=make_set(ClientIP, 20), FirstSeen=min(TimeGenerated) by Name, IPAddresses
| where QueryCount >= 3
| extend SubdomainDepth = array_length(split(Name, "."))
| where SubdomainDepth >= 4
| sort by QueryCount desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Modification Domain Name: Active DNS Domain Name: Domain Registration Azure Audit Logs DNS Events

Required Tables

AuditLogs DnsEvents

False Positives

Legitimate infrastructure changes by DNS administrators adding new subdomains for new services or deployments
CDN or cloud service onboarding that creates new CNAME records pointing to provider infrastructure
Automated certificate validation records (ACME _acme-challenge TXT records) created by Let's Encrypt or similar CAs
Marketing or business development activities registering new subdomains for campaigns, microsites, or partner portals
Cloud migration projects that temporarily create new DNS records pointing to new infrastructure while decommissioning old ones

Splunk

spl

| tstats count as dns_count, values(DNS.dest) as resolved_ips, dc(DNS.src) as unique_clients
    FROM datamodel=Network_Resolution WHERE DNS.message_type=RESPONSE
    BY DNS.query, DNS.record_type, _time span=1h
| rename DNS.query as fqdn, DNS.record_type as record_type
| eval subdomain_depth=mvcount(split(fqdn, "."))
| where subdomain_depth >= 4
| eval hour=strftime(_time, "%Y-%m-%d %H")
| join type=left fqdn [
    | tstats count FROM datamodel=Network_Resolution
        WHERE earliest=-31d latest=-24h DNS.message_type=RESPONSE
        BY DNS.query
    | rename DNS.query as fqdn
    | eval historical=1
]
| where isnull(historical)
| eval domain_parts=split(fqdn, ".")
| eval apex_domain=mvindex(domain_parts, -2)+"."+mvindex(domain_parts, -1)
| eval subdomain_prefix=replace(fqdn, "."+apex_domain, "")
| where dns_count >= 3
| table _time, fqdn, apex_domain, subdomain_prefix, subdomain_depth, record_type, resolved_ips, dns_count, unique_clients
| sort - dns_count

```
Alternate query for Sysmon DNS events (Event ID 22) - run if Network_Resolution datamodel unavailable:
```
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval fqdn=lower(QueryName)
| eval subdomain_depth=mvcount(split(fqdn, "."))
| where subdomain_depth >= 4
| eval domain_parts=split(fqdn, ".")
| eval apex_domain=mvindex(domain_parts, -2)+"."+mvindex(domain_parts, -1)
| eval subdomain_prefix=replace(fqdn, "."+apex_domain, "")
| stats count as query_count, dc(host) as unique_hosts, values(QueryResults) as resolved_ips, earliest(_time) as first_seen
    BY fqdn, apex_domain, subdomain_prefix
| join type=left fqdn [
    index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
        earliest=-31d latest=-24h
    | eval fqdn=lower(QueryName)
    | stats count BY fqdn
    | eval historical=1
]
| where isnull(historical)
| where query_count >= 3
| sort - query_count

high severity medium confidence

Data Sources

Network: Network Traffic DNS: DNS Query Sysmon Event ID 22

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

New legitimate subdomains deployed for business purposes (new product launches, regional expansions)
Cloud provider dynamic subdomains for auto-scaled services (AWS ELB, Azure App Services) generating unique hostnames
Third-party SaaS onboarding creating CNAME-validated subdomains on corporate domains
Certificate transparency monitoring queries from internal scanning tools checking for new subdomains
Ad tech and marketing platforms creating unique subdomain tracking pixels or landing pages

Elastic Security (EQL)

eql

// Detection 1: DNS zone/record modification events via cloud audit logs
sequence by host.name with maxspan=1h
  [any where event.dataset == "azure.auditlogs" and
   event.action : ("MICROSOFT.NETWORK/DNSZONES/*", "Write DNS*", "Delete DNS*") and
   event.outcome == "success"]

// Detection 2: New subdomains not seen in prior 30 days (DNS query baseline)
from logs-network.dns-*
| where @timestamp > now() - 24h
| where dns.question.name is not null
| eval subdomain_depth = length(replace(dns.question.name, replace(dns.question.name, ".", ""), ""))
| where subdomain_depth >= 3

// EQL sequence for new subdomain spike from single host
sequence by source.ip with maxspan=10m
  [dns where dns.question.name : "*.*.*.*" and
   not dns.question.name : ("*.microsoft.com", "*.windows.com", "*.azure.com",
     "*.googleapis.com", "*.amazon.com", "*.cloudfront.net")
  ] with runs=3

high severity medium confidence

Data Sources

Elastic Agent with network integration Packetbeat Azure audit logs via Elastic integration DNS gateway logs

Required Tables

logs-network.dns-* logs-azure.auditlogs-* logs-system.security-*

False Positives

CDN providers and SaaS platforms frequently use deeply nested subdomains for edge routing (e.g., customer-tenant.region.cdn.example.com)
Internal DNS infrastructure may generate new deeply-nested subdomains during service deployments or auto-scaling events
Cloud-native applications using service mesh (Istio, Linkerd) generate dynamic subdomains for service discovery

IBM QRadar (AQL)

sql

// Detection 1: DNS zone record changes in cloud audit events
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
  LOGSOURCENAME(logsourceid) as log_source,
  username,
  sourceip,
  QIDNAME(qid) as event_name,
  "EventAction" as action,
  "TargetResource" as dns_resource,
  "ResultType" as result
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (413, 454)
  AND LOWER(QIDNAME(qid)) LIKE '%dns%'
  AND (LOWER("EventAction") LIKE '%write%dns%'
    OR LOWER("EventAction") LIKE '%delete%dns%'
    OR LOWER("EventAction") LIKE '%microsoft.network/dnszones%')
  AND LAST 24 HOURS
ORDER BY starttime DESC

-- Detection 2: New subdomains with high subdomain depth
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
  "Request URL" as fqdn,
  sourceip as client_ip,
  COUNT(*) as query_count,
  LONG(CHARCOUNT("Request URL", '.')) as dot_count
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (15, 352, 101)
  AND CATEGORYNAME(category) LIKE '%DNS%'
  AND LONG(CHARCOUNT("Request URL", '.')) >= 3
  AND "Request URL" NOT IN
    (SELECT DISTINCT "Request URL" FROM events
     WHERE LOGSOURCETYPEID(logsourceid) IN (15, 352, 101)
       AND CATEGORYNAME(category) LIKE '%DNS%'
       AND starttime BETWEEN (NOW() - 2678400000) AND (NOW() - 86400000))
  AND LAST 24 HOURS
GROUP BY "Request URL", sourceip
HAVING COUNT(*) >= 3
ORDER BY query_count DESC

high severity medium confidence

Data Sources

QRadar DNS protocol DSM Microsoft Azure DSM AWS CloudTrail DSM Infoblox DSM BlueCat DNS DSM

Required Tables

events

False Positives

Automated certificate issuance (ACME/Let's Encrypt) creates new DNS TXT/CNAME records that may appear as DNS zone modifications
Multi-tenant SaaS platforms provision new customer subdomains programmatically triggering DNS zone writes
Terraform/Pulumi infrastructure-as-code pipelines make bulk DNS record changes during deployments

Sumo Logic CSE

sql

// Detection 1: Azure DNS zone modifications
_sourceCategory=azure/audit OR _sourceCategory=Azure/AuditLogs
| json field=_raw "operationName" as operation_name nodrop
| json field=_raw "resultType" as result nodrop
| json field=_raw "identity.claims.upn" as modified_by nodrop
| json field=_raw "callerIpAddress" as caller_ip nodrop
| json field=_raw "resourceId" as resource_id nodrop
| where (operation_name matches /(?i)MICROSOFT\.NETWORK\/DNSZONES/ 
   OR operation_name matches /(?i)Write DNS/
   OR operation_name matches /(?i)Delete DNS/)
| where result = "Success"
| count by operation_name, modified_by, caller_ip, resource_id
| sort by _count desc

// Detection 2: New deeply-nested subdomains in DNS logs
(_sourceCategory=dns* OR _sourceCategory=network/dns OR _sourceCategory=infoblox*)
| parse "query: *" as fqdn nodrop
| parse field=_raw "\"qname\":\"*\"" as fqdn nodrop
| where !isNull(fqdn) and fqdn != ""
| eval fqdn = toLowerCase(fqdn)
| eval dot_count = length(fqdn) - length(replaceAll(fqdn, ".", ""))
| where dot_count >= 3
| withtime
// Exclude known-good apex domains
| where !(fqdn matches /.*\.microsoft\.com$/ 
   OR fqdn matches /.*\.windows\.com$/ 
   OR fqdn matches /.*\.googleapis\.com$/
   OR fqdn matches /.*\.amazonaws\.com$/)
| timeslice 1h
| count as query_count, values(src_ip) as clients by fqdn, dot_count, _timeslice
| where query_count >= 3
// Compare to 30-day baseline — use lookup or separate saved search
| sort by query_count desc

high severity medium confidence

Data Sources

Azure Audit Logs via Sumo Logic Azure integration Infoblox DNS logs Sysmon DNS Event ID 22 via Sumo Logic Windows collector Palo Alto DNS Security logs

Required Tables

_sourceCategory=azure/audit _sourceCategory=dns* _sourceCategory=network/dns

False Positives

DevOps teams using Terraform to manage DNS zones will generate frequent zone write events that match the modification pattern
Content delivery networks dynamically create and destroy subdomains for edge caching, generating new FQDN observations continuously
Internal PKI systems may create new DNS entries during certificate lifecycle management

Google Chronicle / SecOps

yaral

rule t1584_001_domain_compromise_dns_shadowing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects potential domain shadowing and subdomain hijacking via new deeply-nested subdomains and DNS zone record modifications"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-13"

  events:
    // Event 1: Cloud DNS zone modification
    $cloud_dns.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
    $cloud_dns.target.resource.type = "DNS_ZONE"
    $cloud_dns.metadata.vendor_name = "Microsoft"
    $cloud_dns.principal.user.email_addresses != ""
    $cloud_dns.principal.ip != ""
    $user_ip = $cloud_dns.principal.ip

    // Event 2: DNS query to deeply nested subdomain correlated with zone change
    $dns_query.metadata.event_type = "NETWORK_DNS"
    $dns_query.network.dns.questions.name != ""
    $dns_query.principal.ip = $user_ip

    // Filter: 4+ label depth (3+ dots) in queried name
    re.capture($dns_query.network.dns.questions.name, "^([^.]+\.){3,}[^.]+\.[^.]+$") != ""

    // Exclude common CDN/cloud apex domains
    not re.match($dns_query.network.dns.questions.name,
      `.*\.(microsoft\.com|windows\.com|azure\.com|googleapis\.com|amazonaws\.com|cloudfront\.net|akamaiedge\.net)$`)

  match:
    $user_ip over 1h

  condition:
    $cloud_dns and $dns_query
}

rule t1584_001_new_subdomain_no_history {
  meta:
    author = "Argus Detection Engineering"
    description = "Identifies DNS queries to subdomains with no prior resolution history — key indicator of domain shadowing infrastructure setup"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584.001"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    $e.network.dns.questions.name != ""
    $e.network.dns.response_code = "NOERROR"
    $fqdn = $e.network.dns.questions.name

    // 4+ label depth
    re.capture($fqdn, "^([^.]+\.){3,}[^.]+\.[^.]+$") != ""

    not re.match($fqdn,
      `.*\.(microsoft\.com|windows\.com|azure\.com|googleapis\.com|amazonaws\.com|cloudfront\.net)$`)

  match:
    $fqdn over 24h

  outcome:
    $query_count = count_distinct($e.principal.ip)

  condition:
    #e >= 3 and $query_count >= 2
}

high severity medium confidence

Data Sources

Google Chronicle UDM ingestion Azure Audit Logs via Chronicle ingestion DNS resolver logs via Chronicle forwarder Cloud DNS audit logs (AWS Route53, Azure DNS, GCP Cloud DNS)

Required Tables

UDM events with metadata.event_type=USER_RESOURCE_UPDATE_CONTENT UDM events with metadata.event_type=NETWORK_DNS

False Positives

Legitimate cloud infrastructure provisioning pipelines that create DNS zones and immediately query them for validation will trigger both rules
Third-party threat intelligence enrichment services that perform DNS lookups on behalf of analysts appear as new subdomain queries
Global CDN health monitoring generates high-frequency DNS queries to newly provisioned edge subdomains

CrowdStrike LogScale (CQL)

cql

// Detection 1: New subdomains with no 30-day history via Falcon DNS telemetry
// Query 1a: Collect recent DNS requests to deeply-nested domains
#event_simpleName=DnsRequest
| DomainName = /^([^.]+\.){3,}[^.]+\.[^.]+$/  // 4+ labels
| DomainName != /\.(microsoft\.com|windows\.com|azure\.com|googleapis\.com|amazonaws\.com|cloudfront\.net|akamaitechnologies\.com)$/
| groupBy([DomainName, ComputerName], function=[
    count(aid, as=query_count),
    min(timestamp, as=first_seen),
    max(timestamp, as=last_seen),
    collectDistinct(RemoteAddressIP4, maxcount=10, as=resolved_ips)
  ])
| where query_count >= 3
// Approximate baseline exclusion: domains first seen within lookback
| first_seen_epoch = formatTime("%s", first_seen)
| lookback_epoch = subtractDuration(now(), "720h")  // 30 days
| where first_seen >= lookback_epoch
// Extract apex domain and subdomain prefix
| parts = splitString(DomainName, ".")
| apex_domain = format("%s.%s", [parts[-2], parts[-1]])
| subdomain_depth = length(parts)
| sort(query_count, order=desc)
| select([DomainName, apex_domain, subdomain_depth, ComputerName, query_count, first_seen, last_seen, resolved_ips])

// Detection 2: Cloud activity correlation — DNS zone modifications via CrowdStrike Horizon
// (Requires Falcon Horizon / CSPM cloud audit event ingestion)
#event_simpleName=CloudAuditEvent
| CloudService = "Azure"
| OperationName = /(?i)(MICROSOFT\.NETWORK\/DNSZONES|Write DNS|Delete DNS)/
| groupBy([OperationName, UserPrincipalName, SourceIPAddress, ResourceId], function=[
    count(as=op_count),
    min(timestamp, as=first_event),
    max(timestamp, as=last_event)
  ])
| sort(op_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor DnsRequest events CrowdStrike Falcon Horizon cloud audit events (Azure/AWS/GCP) Falcon Identity Protection DNS telemetry

Required Tables

#event_simpleName=DnsRequest #event_simpleName=CloudAuditEvent #event_simpleName=NetworkConnectIP4

False Positives

Endpoint software update mechanisms (WSUS, SCCM, Intune) resolve new distribution point subdomains that may appear as first-time deep subdomain queries
Security tools performing passive DNS collection or threat intelligence lookups generate DnsRequest events for known-malicious deeply-nested domains as a side effect of detection
Developer workstations running local Kubernetes clusters (minikube, kind) generate DNS queries to synthetic deeply-nested service mesh FQDNs

Compromise Infrastructure: Domains

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections