T1584.001 Google Chronicle · YARA-L

Detect Compromise Infrastructure: Domains in Google Chronicle

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.001 Domains
Canonical reference
https://attack.mitre.org/techniques/T1584/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1584_001_domain_compromise_dns_shadowing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects potential domain shadowing and subdomain hijacking via new deeply-nested subdomains and DNS zone record modifications"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584.001"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"
    created = "2026-04-13"

  events:
    // Event 1: Cloud DNS zone modification
    $cloud_dns.metadata.event_type = "USER_RESOURCE_UPDATE_CONTENT"
    $cloud_dns.target.resource.type = "DNS_ZONE"
    $cloud_dns.metadata.vendor_name = "Microsoft"
    $cloud_dns.principal.user.email_addresses != ""
    $cloud_dns.principal.ip != ""
    $user_ip = $cloud_dns.principal.ip

    // Event 2: DNS query to deeply nested subdomain correlated with zone change
    $dns_query.metadata.event_type = "NETWORK_DNS"
    $dns_query.network.dns.questions.name != ""
    $dns_query.principal.ip = $user_ip

    // Filter: 4+ label depth (3+ dots) in queried name
    re.capture($dns_query.network.dns.questions.name, "^([^.]+\.){3,}[^.]+\.[^.]+$") != ""

    // Exclude common CDN/cloud apex domains
    not re.match($dns_query.network.dns.questions.name,
      `.*\.(microsoft\.com|windows\.com|azure\.com|googleapis\.com|amazonaws\.com|cloudfront\.net|akamaiedge\.net)$`)

  match:
    $user_ip over 1h

  condition:
    $cloud_dns and $dns_query
}

rule t1584_001_new_subdomain_no_history {
  meta:
    author = "Argus Detection Engineering"
    description = "Identifies DNS queries to subdomains with no prior resolution history — key indicator of domain shadowing infrastructure setup"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584.001"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    $e.network.dns.questions.name != ""
    $e.network.dns.response_code = "NOERROR"
    $fqdn = $e.network.dns.questions.name

    // 4+ label depth
    re.capture($fqdn, "^([^.]+\.){3,}[^.]+\.[^.]+$") != ""

    not re.match($fqdn,
      `.*\.(microsoft\.com|windows\.com|azure\.com|googleapis\.com|amazonaws\.com|cloudfront\.net)$`)

  match:
    $fqdn over 24h

  outcome:
    $query_count = count_distinct($e.principal.ip)

  condition:
    #e >= 3 and $query_count >= 2
}
high severity medium confidence

Two Chronicle YARA-L 2.0 rules detecting T1584.001 activity: the first correlates cloud DNS zone modifications with subsequent DNS queries to deeply-nested subdomains from the same principal IP (domain shadowing setup workflow); the second identifies any new deeply-nested subdomain receiving queries from multiple clients with no suppression baseline — indicative of newly stood-up shadow infrastructure.

Data Sources

Google Chronicle UDM ingestionAzure Audit Logs via Chronicle ingestionDNS resolver logs via Chronicle forwarderCloud DNS audit logs (AWS Route53, Azure DNS, GCP Cloud DNS)

Required Tables

UDM events with metadata.event_type=USER_RESOURCE_UPDATE_CONTENTUDM events with metadata.event_type=NETWORK_DNS

False Positives & Tuning

  • Legitimate cloud infrastructure provisioning pipelines that create DNS zones and immediately query them for validation will trigger both rules
  • Third-party threat intelligence enrichment services that perform DNS lookups on behalf of analysts appear as new subdomain queries
  • Global CDN health monitoring generates high-frequency DNS queries to newly provisioned edge subdomains
Download portable Sigma rule (.yml)

Other platforms for T1584.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Subdomains for Dangling CNAME Discovery

    Expected signal: DNS queries for each subdomain visible in Sysmon Event ID 22 (DNS Query) if run from a monitored host, or in DNS server query logs. Multiple rapid queries for subdomains of the same apex domain from a single host within a short window is detectable. Network flow data will show the DNS traffic pattern.

  2. Test 2Simulate Domain Shadowing DNS Pattern

    Expected signal: Sysmon Event ID 22 (DNS Query): five events with QueryName values matching the deep subdomain patterns (4+ labels). Events will show QueryResults as empty or '-' due to NXDOMAIN. All queries will originate from the test host's process running the PowerShell command.

  3. Test 3Unauthorized AWS Route53 DNS Record Modification

    Expected signal: AWS CloudTrail: ChangeResourceRecordSets API event with userIdentity.arn showing the calling IAM entity, sourceIPAddress, requestParameters including the hosted zone ID and the new record set details. Event will appear in CloudTrail within 15 minutes. If CloudTrail is ingested into Sentinel or Splunk, the event will appear in the respective tables.

  4. Test 4Certificate Transparency Log Monitoring for Newly Issued Subdomain Certificates

    Expected signal: Outbound HTTPS connection to crt.sh (104.21.x.x / 172.67.x.x) visible in DeviceNetworkEvents or proxy logs. No endpoint-side telemetry beyond network connection. The value is in the output: any certificate for a subdomain your organization didn't authorize is a direct indicator of T1584.001 activity.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1584.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.007ServerlessT1584.008Network Devices

Related Techniques

T1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1071.001Web ProtocolsT1189Drive-by CompromiseT1598.003Spearphishing LinkT1584.002DNS ServerT1586.002Email AccountsT1557.002ARP Cache PoisoningT1556.006Multi-Factor Authentication

Same Tactic: Resource Development

Popular Detections