T1584.001 Elastic Security · Elastic

Detect Compromise Infrastructure: Domains in Elastic Security

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.001 Domains
Canonical reference
https://attack.mitre.org/techniques/T1584/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
// Detection 1: DNS zone/record modification events via cloud audit logs
sequence by host.name with maxspan=1h
  [any where event.dataset == "azure.auditlogs" and
   event.action : ("MICROSOFT.NETWORK/DNSZONES/*", "Write DNS*", "Delete DNS*") and
   event.outcome == "success"]

// Detection 2: New subdomains not seen in prior 30 days (DNS query baseline)
from logs-network.dns-*
| where @timestamp > now() - 24h
| where dns.question.name is not null
| eval subdomain_depth = length(replace(dns.question.name, replace(dns.question.name, ".", ""), ""))
| where subdomain_depth >= 3

// EQL sequence for new subdomain spike from single host
sequence by source.ip with maxspan=10m
  [dns where dns.question.name : "*.*.*.*" and
   not dns.question.name : ("*.microsoft.com", "*.windows.com", "*.azure.com",
     "*.googleapis.com", "*.amazon.com", "*.cloudfront.net")
  ] with runs=3
high severity medium confidence

Detects potential domain shadowing and subdomain hijacking by identifying DNS queries to deeply nested subdomains (4+ levels) not previously observed in the environment, and cloud DNS zone record modifications. Uses ECS-normalized DNS fields from Elastic Agent network data or Packetbeat.

Data Sources

Elastic Agent with network integrationPacketbeatAzure audit logs via Elastic integrationDNS gateway logs

Required Tables

logs-network.dns-*logs-azure.auditlogs-*logs-system.security-*

False Positives & Tuning

  • CDN providers and SaaS platforms frequently use deeply nested subdomains for edge routing (e.g., customer-tenant.region.cdn.example.com)
  • Internal DNS infrastructure may generate new deeply-nested subdomains during service deployments or auto-scaling events
  • Cloud-native applications using service mesh (Istio, Linkerd) generate dynamic subdomains for service discovery
Download portable Sigma rule (.yml)

Other platforms for T1584.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Subdomains for Dangling CNAME Discovery

    Expected signal: DNS queries for each subdomain visible in Sysmon Event ID 22 (DNS Query) if run from a monitored host, or in DNS server query logs. Multiple rapid queries for subdomains of the same apex domain from a single host within a short window is detectable. Network flow data will show the DNS traffic pattern.

  2. Test 2Simulate Domain Shadowing DNS Pattern

    Expected signal: Sysmon Event ID 22 (DNS Query): five events with QueryName values matching the deep subdomain patterns (4+ labels). Events will show QueryResults as empty or '-' due to NXDOMAIN. All queries will originate from the test host's process running the PowerShell command.

  3. Test 3Unauthorized AWS Route53 DNS Record Modification

    Expected signal: AWS CloudTrail: ChangeResourceRecordSets API event with userIdentity.arn showing the calling IAM entity, sourceIPAddress, requestParameters including the hosted zone ID and the new record set details. Event will appear in CloudTrail within 15 minutes. If CloudTrail is ingested into Sentinel or Splunk, the event will appear in the respective tables.

  4. Test 4Certificate Transparency Log Monitoring for Newly Issued Subdomain Certificates

    Expected signal: Outbound HTTPS connection to crt.sh (104.21.x.x / 172.67.x.x) visible in DeviceNetworkEvents or proxy logs. No endpoint-side telemetry beyond network connection. The value is in the output: any certificate for a subdomain your organization didn't authorize is a direct indicator of T1584.001 activity.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1584.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.007ServerlessT1584.008Network Devices

Related Techniques

T1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1071.001Web ProtocolsT1189Drive-by CompromiseT1598.003Spearphishing LinkT1584.002DNS ServerT1586.002Email AccountsT1557.002ARP Cache PoisoningT1556.006Multi-Factor Authentication

Same Tactic: Resource Development

Popular Detections