T1584.001 Splunk · SPL

Detect Compromise Infrastructure: Domains in Splunk

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.001 Domains
Canonical reference
https://attack.mitre.org/techniques/T1584/001/

SPL Detection Query

Splunk (SPL)
spl 
| tstats count as dns_count, values(DNS.dest) as resolved_ips, dc(DNS.src) as unique_clients
    FROM datamodel=Network_Resolution WHERE DNS.message_type=RESPONSE
    BY DNS.query, DNS.record_type, _time span=1h
| rename DNS.query as fqdn, DNS.record_type as record_type
| eval subdomain_depth=mvcount(split(fqdn, "."))
| where subdomain_depth >= 4
| eval hour=strftime(_time, "%Y-%m-%d %H")
| join type=left fqdn [
    | tstats count FROM datamodel=Network_Resolution
        WHERE earliest=-31d latest=-24h DNS.message_type=RESPONSE
        BY DNS.query
    | rename DNS.query as fqdn
    | eval historical=1
]
| where isnull(historical)
| eval domain_parts=split(fqdn, ".")
| eval apex_domain=mvindex(domain_parts, -2)+"."+mvindex(domain_parts, -1)
| eval subdomain_prefix=replace(fqdn, "."+apex_domain, "")
| where dns_count >= 3
| table _time, fqdn, apex_domain, subdomain_prefix, subdomain_depth, record_type, resolved_ips, dns_count, unique_clients
| sort - dns_count

```
Alternate query for Sysmon DNS events (Event ID 22) - run if Network_Resolution datamodel unavailable:
```
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval fqdn=lower(QueryName)
| eval subdomain_depth=mvcount(split(fqdn, "."))
| where subdomain_depth >= 4
| eval domain_parts=split(fqdn, ".")
| eval apex_domain=mvindex(domain_parts, -2)+"."+mvindex(domain_parts, -1)
| eval subdomain_prefix=replace(fqdn, "."+apex_domain, "")
| stats count as query_count, dc(host) as unique_hosts, values(QueryResults) as resolved_ips, earliest(_time) as first_seen
    BY fqdn, apex_domain, subdomain_prefix
| join type=left fqdn [
    index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
        earliest=-31d latest=-24h
    | eval fqdn=lower(QueryName)
    | stats count BY fqdn
    | eval historical=1
]
| where isnull(historical)
| where query_count >= 3
| sort - query_count
high severity medium confidence

Detects domain shadowing indicators by identifying newly appearing subdomains (absent from DNS traffic in the prior 30 days) that appear in current DNS query logs with deep subdomain depth (4+ labels). Uses the Network_Resolution datamodel for normalized DNS data, with a fallback to Sysmon Event ID 22 (DNS Query). Deep subdomains not seen historically are a strong indicator of domain shadowing infrastructure being activated, as documented in Palo Alto Unit 42 research on this technique.

Data Sources

Network: Network TrafficDNS: DNS QuerySysmon Event ID 22

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • New legitimate subdomains deployed for business purposes (new product launches, regional expansions)
  • Cloud provider dynamic subdomains for auto-scaled services (AWS ELB, Azure App Services) generating unique hostnames
  • Third-party SaaS onboarding creating CNAME-validated subdomains on corporate domains
  • Certificate transparency monitoring queries from internal scanning tools checking for new subdomains
  • Ad tech and marketing platforms creating unique subdomain tracking pixels or landing pages
Download portable Sigma rule (.yml)

Other platforms for T1584.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate Subdomains for Dangling CNAME Discovery

    Expected signal: DNS queries for each subdomain visible in Sysmon Event ID 22 (DNS Query) if run from a monitored host, or in DNS server query logs. Multiple rapid queries for subdomains of the same apex domain from a single host within a short window is detectable. Network flow data will show the DNS traffic pattern.

  2. Test 2Simulate Domain Shadowing DNS Pattern

    Expected signal: Sysmon Event ID 22 (DNS Query): five events with QueryName values matching the deep subdomain patterns (4+ labels). Events will show QueryResults as empty or '-' due to NXDOMAIN. All queries will originate from the test host's process running the PowerShell command.

  3. Test 3Unauthorized AWS Route53 DNS Record Modification

    Expected signal: AWS CloudTrail: ChangeResourceRecordSets API event with userIdentity.arn showing the calling IAM entity, sourceIPAddress, requestParameters including the hosted zone ID and the new record set details. Event will appear in CloudTrail within 15 minutes. If CloudTrail is ingested into Sentinel or Splunk, the event will appear in the respective tables.

  4. Test 4Certificate Transparency Log Monitoring for Newly Issued Subdomain Certificates

    Expected signal: Outbound HTTPS connection to crt.sh (104.21.x.x / 172.67.x.x) visible in DeviceNetworkEvents or proxy logs. No endpoint-side telemetry beyond network connection. The value is in the output: any certificate for a subdomain your organization didn't authorize is a direct indicator of T1584.001 activity.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1584.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.002DNS ServerT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.007ServerlessT1584.008Network Devices

Related Techniques

T1584Compromise InfrastructureT1583.001DomainsT1566.002Spearphishing LinkT1071.001Web ProtocolsT1189Drive-by CompromiseT1598.003Spearphishing LinkT1584.002DNS ServerT1586.002Email AccountsT1557.002ARP Cache PoisoningT1556.006Multi-Factor Authentication

Same Tactic: Resource Development

Popular Detections