Detect Compromise Infrastructure: Domains in Sumo Logic CSE
Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.001 Domains
- Canonical reference
- https://attack.mitre.org/techniques/T1584/001/
Sumo Detection Query
// Detection 1: Azure DNS zone modifications
_sourceCategory=azure/audit OR _sourceCategory=Azure/AuditLogs
| json field=_raw "operationName" as operation_name nodrop
| json field=_raw "resultType" as result nodrop
| json field=_raw "identity.claims.upn" as modified_by nodrop
| json field=_raw "callerIpAddress" as caller_ip nodrop
| json field=_raw "resourceId" as resource_id nodrop
| where (operation_name matches /(?i)MICROSOFT\.NETWORK\/DNSZONES/
OR operation_name matches /(?i)Write DNS/
OR operation_name matches /(?i)Delete DNS/)
| where result = "Success"
| count by operation_name, modified_by, caller_ip, resource_id
| sort by _count desc
// Detection 2: New deeply-nested subdomains in DNS logs
(_sourceCategory=dns* OR _sourceCategory=network/dns OR _sourceCategory=infoblox*)
| parse "query: *" as fqdn nodrop
| parse field=_raw "\"qname\":\"*\"" as fqdn nodrop
| where !isNull(fqdn) and fqdn != ""
| eval fqdn = toLowerCase(fqdn)
| eval dot_count = length(fqdn) - length(replaceAll(fqdn, ".", ""))
| where dot_count >= 3
| withtime
// Exclude known-good apex domains
| where !(fqdn matches /.*\.microsoft\.com$/
OR fqdn matches /.*\.windows\.com$/
OR fqdn matches /.*\.googleapis\.com$/
OR fqdn matches /.*\.amazonaws\.com$/)
| timeslice 1h
| count as query_count, values(src_ip) as clients by fqdn, dot_count, _timeslice
| where query_count >= 3
// Compare to 30-day baseline — use lookup or separate saved search
| sort by query_count descDetects domain shadowing and DNS infrastructure compromise activity in Sumo Logic by correlating Azure DNS zone record write/delete operations with DNS queries to anomalously deep subdomains lacking historical presence. Combines cloud audit telemetry with DNS query logs.
Data Sources
Required Tables
False Positives & Tuning
- DevOps teams using Terraform to manage DNS zones will generate frequent zone write events that match the modification pattern
- Content delivery networks dynamically create and destroy subdomains for edge caching, generating new FQDN observations continuously
- Internal PKI systems may create new DNS entries during certificate lifecycle management
Other platforms for T1584.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate Subdomains for Dangling CNAME Discovery
Expected signal: DNS queries for each subdomain visible in Sysmon Event ID 22 (DNS Query) if run from a monitored host, or in DNS server query logs. Multiple rapid queries for subdomains of the same apex domain from a single host within a short window is detectable. Network flow data will show the DNS traffic pattern.
- Test 2Simulate Domain Shadowing DNS Pattern
Expected signal: Sysmon Event ID 22 (DNS Query): five events with QueryName values matching the deep subdomain patterns (4+ labels). Events will show QueryResults as empty or '-' due to NXDOMAIN. All queries will originate from the test host's process running the PowerShell command.
- Test 3Unauthorized AWS Route53 DNS Record Modification
Expected signal: AWS CloudTrail: ChangeResourceRecordSets API event with userIdentity.arn showing the calling IAM entity, sourceIPAddress, requestParameters including the hosted zone ID and the new record set details. Event will appear in CloudTrail within 15 minutes. If CloudTrail is ingested into Sentinel or Splunk, the event will appear in the respective tables.
- Test 4Certificate Transparency Log Monitoring for Newly Issued Subdomain Certificates
Expected signal: Outbound HTTPS connection to crt.sh (104.21.x.x / 172.67.x.x) visible in DeviceNetworkEvents or proxy logs. No endpoint-side telemetry beyond network connection. The value is in the output: any certificate for a subdomain your organization didn't authorize is a direct indicator of T1584.001 activity.
References (11)
- https://attack.mitre.org/techniques/T1584/001/
- https://krebsonsecurity.com/2019/02/a-deep-dive-on-the-recent-widespread-dns-hijacking-attacks/
- https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en
- https://unit42.paloaltonetworks.com/domain-shadowing/
- https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover
- https://github.com/EdOverflow/can-i-take-over-xyz
- https://www.cisa.gov/news-events/alerts/2019/01/10/dns-infrastructure-tampering
- https://attack.mitre.org/tactics/TA0042/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/logging-using-cloudtrail.html
- https://learn.microsoft.com/en-us/azure/dns/dns-operations-dnszones-portal
Unlock Pro Content
Get the full detection package for T1584.001 including response playbook, investigation guide, and atomic red team tests.