Detect Compromise Infrastructure: Domains in IBM QRadar
Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.001 Domains
- Canonical reference
- https://attack.mitre.org/techniques/T1584/001/
QRadar Detection Query
// Detection 1: DNS zone record changes in cloud audit events
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
LOGSOURCENAME(logsourceid) as log_source,
username,
sourceip,
QIDNAME(qid) as event_name,
"EventAction" as action,
"TargetResource" as dns_resource,
"ResultType" as result
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (413, 454)
AND LOWER(QIDNAME(qid)) LIKE '%dns%'
AND (LOWER("EventAction") LIKE '%write%dns%'
OR LOWER("EventAction") LIKE '%delete%dns%'
OR LOWER("EventAction") LIKE '%microsoft.network/dnszones%')
AND LAST 24 HOURS
ORDER BY starttime DESC
-- Detection 2: New subdomains with high subdomain depth
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
"Request URL" as fqdn,
sourceip as client_ip,
COUNT(*) as query_count,
LONG(CHARCOUNT("Request URL", '.')) as dot_count
FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (15, 352, 101)
AND CATEGORYNAME(category) LIKE '%DNS%'
AND LONG(CHARCOUNT("Request URL", '.')) >= 3
AND "Request URL" NOT IN
(SELECT DISTINCT "Request URL" FROM events
WHERE LOGSOURCETYPEID(logsourceid) IN (15, 352, 101)
AND CATEGORYNAME(category) LIKE '%DNS%'
AND starttime BETWEEN (NOW() - 2678400000) AND (NOW() - 86400000))
AND LAST 24 HOURS
GROUP BY "Request URL", sourceip
HAVING COUNT(*) >= 3
ORDER BY query_count DESCDetects domain shadowing and subdomain hijacking activity in QRadar by identifying cloud provider DNS zone record modifications and DNS queries to deeply nested subdomains with no historical baseline. Uses QRadar's built-in DNS event categories and cloud audit log source types.
Data Sources
Required Tables
False Positives & Tuning
- Automated certificate issuance (ACME/Let's Encrypt) creates new DNS TXT/CNAME records that may appear as DNS zone modifications
- Multi-tenant SaaS platforms provision new customer subdomains programmatically triggering DNS zone writes
- Terraform/Pulumi infrastructure-as-code pipelines make bulk DNS record changes during deployments
Other platforms for T1584.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Subdomains for Dangling CNAME Discovery
Expected signal: DNS queries for each subdomain visible in Sysmon Event ID 22 (DNS Query) if run from a monitored host, or in DNS server query logs. Multiple rapid queries for subdomains of the same apex domain from a single host within a short window is detectable. Network flow data will show the DNS traffic pattern.
- Test 2Simulate Domain Shadowing DNS Pattern
Expected signal: Sysmon Event ID 22 (DNS Query): five events with QueryName values matching the deep subdomain patterns (4+ labels). Events will show QueryResults as empty or '-' due to NXDOMAIN. All queries will originate from the test host's process running the PowerShell command.
- Test 3Unauthorized AWS Route53 DNS Record Modification
Expected signal: AWS CloudTrail: ChangeResourceRecordSets API event with userIdentity.arn showing the calling IAM entity, sourceIPAddress, requestParameters including the hosted zone ID and the new record set details. Event will appear in CloudTrail within 15 minutes. If CloudTrail is ingested into Sentinel or Splunk, the event will appear in the respective tables.
- Test 4Certificate Transparency Log Monitoring for Newly Issued Subdomain Certificates
Expected signal: Outbound HTTPS connection to crt.sh (104.21.x.x / 172.67.x.x) visible in DeviceNetworkEvents or proxy logs. No endpoint-side telemetry beyond network connection. The value is in the output: any certificate for a subdomain your organization didn't authorize is a direct indicator of T1584.001 activity.
References (11)
- https://attack.mitre.org/techniques/T1584/001/
- https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
- https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en
- https://unit42.paloaltonetworks.com/domain-shadowing/
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://www.cisa.gov/news-events/alerts/2019/01/10/dns-infrastructure-tampering
- https://attack.mitre.org/tactics/TA0042/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-using-cloudtrail.html
- https://learn.microsoft.com/en-us/azure/dns/dns-operations-dnszones-portal
Unlock Pro Content
Get the full detection package for T1584.001 including response playbook, investigation guide, and atomic red team tests.