T1584.001 CrowdStrike LogScale · LogScale

Detect Compromise Infrastructure: Domains in CrowdStrike LogScale

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.001 Domains
Canonical reference
https://attack.mitre.org/techniques/T1584/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// Detection 1: New subdomains with no 30-day history via Falcon DNS telemetry
// Query 1a: Collect recent DNS requests to deeply-nested domains
#event_simpleName=DnsRequest
| DomainName = /^([^.]+\.){3,}[^.]+\.[^.]+$/  // 4+ labels
| DomainName != /\.(microsoft\.com|windows\.com|azure\.com|googleapis\.com|amazonaws\.com|cloudfront\.net|akamaitechnologies\.com)$/
| groupBy([DomainName, ComputerName], function=[
    count(aid, as=query_count),
    min(timestamp, as=first_seen),
    max(timestamp, as=last_seen),
    collectDistinct(RemoteAddressIP4, maxcount=10, as=resolved_ips)
  ])
| where query_count >= 3
// Approximate baseline exclusion: domains first seen within lookback
| first_seen_epoch = formatTime("%s", first_seen)
| lookback_epoch = subtractDuration(now(), "720h")  // 30 days
| where first_seen >= lookback_epoch
// Extract apex domain and subdomain prefix
| parts = splitString(DomainName, ".")
| apex_domain = format("%s.%s", [parts[-2], parts[-1]])
| subdomain_depth = length(parts)
| sort(query_count, order=desc)
| select([DomainName, apex_domain, subdomain_depth, ComputerName, query_count, first_seen, last_seen, resolved_ips])

// Detection 2: Cloud activity correlation — DNS zone modifications via CrowdStrike Horizon
// (Requires Falcon Horizon / CSPM cloud audit event ingestion)
#event_simpleName=CloudAuditEvent
| CloudService = "Azure"
| OperationName = /(?i)(MICROSOFT\.NETWORK\/DNSZONES|Write DNS|Delete DNS)/
| groupBy([OperationName, UserPrincipalName, SourceIPAddress, ResourceId], function=[
    count(as=op_count),
    min(timestamp, as=first_event),
    max(timestamp, as=last_event)
  ])
| sort(op_count, order=desc)
high severity medium confidence

Detects domain shadowing and subdomain hijacking using CrowdStrike Falcon telemetry. Query 1 uses Falcon's DnsRequest events to identify endpoints querying deeply-nested subdomains with no long-term history, a key indicator of shadow domains becoming active. Query 2 leverages Falcon Horizon cloud audit events to detect DNS zone record modifications in Azure that may represent domain registration hijacking setup.

Data Sources

CrowdStrike Falcon sensor DnsRequest eventsCrowdStrike Falcon Horizon cloud audit events (Azure/AWS/GCP)Falcon Identity Protection DNS telemetry

Required Tables

#event_simpleName=DnsRequest#event_simpleName=CloudAuditEvent#event_simpleName=NetworkConnectIP4

False Positives & Tuning

  • Endpoint software update mechanisms (WSUS, SCCM, Intune) resolve new distribution point subdomains that may appear as first-time deep subdomain queries
  • Security tools performing passive DNS collection or threat intelligence lookups generate DnsRequest events for known-malicious deeply-nested domains as a side effect of detection
  • Developer workstations running local Kubernetes clusters (minikube, kind) generate DNS queries to synthetic deeply-nested service mesh FQDNs
Download portable Sigma rule (.yml)

Other platforms for T1584.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Subdomains for Dangling CNAME Discovery

    Expected signal: DNS queries for each subdomain visible in Sysmon Event ID 22 (DNS Query) if run from a monitored host, or in DNS server query logs. Multiple rapid queries for subdomains of the same apex domain from a single host within a short window is detectable. Network flow data will show the DNS traffic pattern.

  2. Test 2Simulate Domain Shadowing DNS Pattern

    Expected signal: Sysmon Event ID 22 (DNS Query): five events with QueryName values matching the deep subdomain patterns (4+ labels). Events will show QueryResults as empty or '-' due to NXDOMAIN. All queries will originate from the test host's process running the PowerShell command.

  3. Test 3Unauthorized AWS Route53 DNS Record Modification

    Expected signal: AWS CloudTrail: ChangeResourceRecordSets API event with userIdentity.arn showing the calling IAM entity, sourceIPAddress, requestParameters including the hosted zone ID and the new record set details. Event will appear in CloudTrail within 15 minutes. If CloudTrail is ingested into Sentinel or Splunk, the event will appear in the respective tables.

  4. Test 4Certificate Transparency Log Monitoring for Newly Issued Subdomain Certificates

    Expected signal: Outbound HTTPS connection to crt.sh (104.21.x.x / 172.67.x.x) visible in DeviceNetworkEvents or proxy logs. No endpoint-side telemetry beyond network connection. The value is in the output: any certificate for a subdomain your organization didn't authorize is a direct indicator of T1584.001 activity.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1584.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.007ServerlessT1584.008Network Devices

Related Techniques

T1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1071.001Web ProtocolsT1189Drive-by CompromiseT1598.003Spearphishing LinkT1584.002DNS ServerT1586.002Email AccountsT1557.002ARP Cache PoisoningT1556.006Multi-Factor Authentication

Same Tactic: Resource Development

Popular Detections