Detect Compromise Infrastructure: Domains in Microsoft Sentinel
Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.001 Domains
- Canonical reference
- https://attack.mitre.org/techniques/T1584/001/
KQL Detection Query
// Detection 1: Azure DNS Zone Record Modifications (potential domain shadowing or hijack setup)
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any ("MICROSOFT.NETWORK/DNSZONES/", "Write DNS", "Delete DNS")
| where Result == "success"
| extend TargetResource = tostring(TargetResources[0].displayName)
| extend ModifiedBy = tostring(InitiatedBy.user.userPrincipalName)
| extend ClientIP = tostring(InitiatedBy.user.ipAddress)
| extend RecordType = tostring(TargetResources[0].type)
| project TimeGenerated, OperationName, TargetResource, ModifiedBy, ClientIP, RecordType, Result, CorrelationId
| sort by TimeGenerated desc
// Detection 2: Suspicious DNS resolution patterns suggesting domain shadowing (new subdomains resolving)
// Run separately against DNS event tables
union isfuzzy=true DnsEvents, ASimDnsActivityLogs
| where TimeGenerated > ago(24h)
| where SubType =~ "LookupQuery" or EventType =~ "Query"
| where Name has_any (".") and strlen(Name) > 20
// Flag queries to subdomains not seen in the prior 30 days
| join kind=leftanti (
union isfuzzy=true DnsEvents, ASimDnsActivityLogs
| where TimeGenerated between (ago(31d) .. ago(24h))
| summarize by Name
) on Name
| summarize QueryCount=count(), Clients=make_set(ClientIP, 20), FirstSeen=min(TimeGenerated) by Name, IPAddresses
| where QueryCount >= 3
| extend SubdomainDepth = array_length(split(Name, "."))
| where SubdomainDepth >= 4
| sort by QueryCount descTwo-part detection for domain compromise indicators. Part 1 monitors Azure DNS zone modifications via AuditLogs, flagging record creates, updates, and deletes that could indicate domain shadowing (adding malicious subdomains) or DNS hijacking setup. Part 2 identifies newly appearing subdomains (not seen in prior 30 days) being queried internally, which may indicate domain shadowing infrastructure being activated. High subdomain depth (4+ labels) is a specific indicator of domain shadowing patterns documented by Palo Alto Unit 42.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate infrastructure changes by DNS administrators adding new subdomains for new services or deployments
- CDN or cloud service onboarding that creates new CNAME records pointing to provider infrastructure
- Automated certificate validation records (ACME _acme-challenge TXT records) created by Let's Encrypt or similar CAs
- Marketing or business development activities registering new subdomains for campaigns, microsites, or partner portals
- Cloud migration projects that temporarily create new DNS records pointing to new infrastructure while decommissioning old ones
Other platforms for T1584.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Subdomains for Dangling CNAME Discovery
Expected signal: DNS queries for each subdomain visible in Sysmon Event ID 22 (DNS Query) if run from a monitored host, or in DNS server query logs. Multiple rapid queries for subdomains of the same apex domain from a single host within a short window is detectable. Network flow data will show the DNS traffic pattern.
- Test 2Simulate Domain Shadowing DNS Pattern
Expected signal: Sysmon Event ID 22 (DNS Query): five events with QueryName values matching the deep subdomain patterns (4+ labels). Events will show QueryResults as empty or '-' due to NXDOMAIN. All queries will originate from the test host's process running the PowerShell command.
- Test 3Unauthorized AWS Route53 DNS Record Modification
Expected signal: AWS CloudTrail: ChangeResourceRecordSets API event with userIdentity.arn showing the calling IAM entity, sourceIPAddress, requestParameters including the hosted zone ID and the new record set details. Event will appear in CloudTrail within 15 minutes. If CloudTrail is ingested into Sentinel or Splunk, the event will appear in the respective tables.
- Test 4Certificate Transparency Log Monitoring for Newly Issued Subdomain Certificates
Expected signal: Outbound HTTPS connection to crt.sh (104.21.x.x / 172.67.x.x) visible in DeviceNetworkEvents or proxy logs. No endpoint-side telemetry beyond network connection. The value is in the output: any certificate for a subdomain your organization didn't authorize is a direct indicator of T1584.001 activity.
References (11)
- https://attack.mitre.org/techniques/T1584/001/
- https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
- https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en
- https://unit42.paloaltonetworks.com/domain-shadowing/
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://www.cisa.gov/news-events/alerts/2019/01/10/dns-infrastructure-tampering
- https://attack.mitre.org/tactics/TA0042/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-using-cloudtrail.html
- https://learn.microsoft.com/en-us/azure/dns/dns-operations-dnszones-portal
Unlock Pro Content
Get the full detection package for T1584.001 including response playbook, investigation guide, and atomic red team tests.