T1584.002

DNS Server

Adversaries may compromise third-party DNS servers to support operations. By gaining control over DNS infrastructure, adversaries can alter DNS records to redirect organizational traffic, facilitate credential harvesting, or redirect users to adversary-controlled infrastructure mimicking legitimate services. This technique is used by threat actors including Sea Turtle and LAPSUS$, who modified NS records and DNS configurations to intercept traffic at scale. Unlike acquiring new DNS infrastructure (T1583.002), this involves compromising existing, trusted DNS servers — making detection harder due to the perceived legitimacy of the infrastructure.

Microsoft Sentinel / Defender

kusto

// Part 1: Detect endpoints querying non-authorized DNS servers (port 53 to unexpected destinations)
let AuthorizedDNSServers = dynamic(["8.8.8.8", "8.8.4.4", "1.1.1.1", "1.0.0.1", "9.9.9.9"]); // Customize with your org's DNS IPs
let InternalRanges = dynamic(["10.", "172.16.", "172.17.", "172.18.", "172.19.", "172.20.", "172.21.", "172.22.", "172.23.", "172.24.", "172.25.", "172.26.", "172.27.", "172.28.", "172.29.", "172.30.", "172.31.", "192.168."]);
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort == 53
| where RemoteIPType == "Public"
| where not(RemoteIP has_any (AuthorizedDNSServers))
| where not(LocalIP has_any (InternalRanges))
| project Timestamp, DeviceName, LocalIP, RemoteIP, RemotePort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| extend Indicator = "Rogue DNS Server Query"
| union (
// Part 2: Detect DNS configuration changes via registry (changing DNS server settings)
DeviceRegistryEvents
| where Timestamp > ago(24h)
| where RegistryKey has_all ("SYSTEM", "CurrentControlSet", "Services", "Tcpip", "Parameters", "Interfaces")
| where RegistryValueName in~ ("NameServer", "DhcpNameServer", "SearchList", "DhcpDomain")
| where ActionType in~ ("RegistryValueSet", "RegistryKeyCreated")
| project Timestamp, DeviceName=DeviceName, LocalIP="", RemoteIP=RegistryCurrentValueData, RemotePort=53, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| extend Indicator = "DNS Configuration Changed"
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Windows Registry: Windows Registry Key Modification Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceRegistryEvents

False Positives

Developers or researchers intentionally using alternative public DNS resolvers (1.1.1.1, 9.9.9.9, 8.8.8.8) for testing — common on developer workstations if these are not in the authorized list
VPN clients that change DNS server assignments upon connecting, particularly split-tunnel configurations that use provider DNS
DHCP lease renewals that legitimately update DhcpNameServer registry values as part of normal network operations
Containerization platforms (Docker Desktop, WSL2) that configure their own virtual DNS resolvers pointing to non-standard IPs
Mobile hotspot tethering or public WiFi usage where the DHCP-assigned DNS differs from corporate infrastructure

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    DestinationPort=53 NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
  | eval QueryType="Network"
  | eval DNS_Target=DestinationIp
  | eval ProcessName=Image
  | eval CommandLine=CommandLine
  | eval Indicator="Rogue DNS Query Port 53"
  | table _time, host, User, ProcessName, CommandLine, DNS_Target, Indicator
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=13
    TargetObject="*\\Services\\Tcpip\\Parameters*"
    (TargetObject="*NameServer*" OR TargetObject="*DhcpNameServer*" OR TargetObject="*SearchList*")
  | eval Indicator="DNS Registry Config Changed"
  | eval DNS_Target=Details
  | eval ProcessName=Image
  | table _time, host, User, ProcessName, TargetObject, DNS_Target, Indicator
],
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval DNS_Target=QueryName
  | rex field=QueryResults "(?<ResolvedIP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
  | where isnotnull(ResolvedIP)
  | eval Indicator="DNS Query Resolved"
  | eval ProcessName=Image
  | table _time, host, User, ProcessName, DNS_Target, ResolvedIP, QueryResults, Indicator
]
| eval RogueServer=if(Indicator="Rogue DNS Query Port 53", 1, 0)
| eval ConfigChange=if(Indicator="DNS Registry Config Changed", 1, 0)
| eval SuspicionScore=RogueServer + ConfigChange
| sort - _time
| table _time, host, User, ProcessName, DNS_Target, Indicator, RogueServer, ConfigChange, SuspicionScore

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Windows Registry: Windows Registry Key Modification DNS: DNS Query Resolution Sysmon Event ID 3 Sysmon Event ID 13 Sysmon Event ID 22

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers or power users manually configuring alternative DNS resolvers (Cloudflare, Google) on their workstations
VPN software legitimately modifying DhcpNameServer registry values when establishing tunnels
DHCP renewals that update NameServer registry values through normal Windows networking stack behavior
Docker Desktop and WSL2 creating virtual DNS entries in registry for their internal virtual network adapters
IT administration tools (PDQ Deploy, SCCM) that push DNS configuration changes as part of network hardening policies

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  destinationip AS dns_target,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(highlevelcategory) AS high_category,
  CATEGORYNAME(category) AS low_category,
  payload,
  CASE
    WHEN destinationport = 53 THEN 'Rogue DNS Server Query'
    ELSE 'DNS Registry Config Changed'
  END AS indicator
FROM events
WHERE
  starttime >= (NOW() - 86400000)
  AND
  (
    (
      destinationport = 53
      AND NOT INCIDR('10.0.0.0/8', destinationip)
      AND NOT INCIDR('172.16.0.0/12', destinationip)
      AND NOT INCIDR('192.168.0.0/16', destinationip)
      AND NOT INCIDR('127.0.0.0/8', destinationip)
      AND destinationip NOT IN ('8.8.8.8', '8.8.4.4', '1.1.1.1', '1.0.0.1', '9.9.9.9')
    )
    OR
    (
      LOGSOURCETYPENAME(devicetype) ILIKE '%Windows%'
      AND (
        payload ILIKE '%\\Services\\Tcpip\\Parameters%'
        OR payload ILIKE '%Tcpip\\Parameters\\Interfaces%'
      )
      AND (
        payload ILIKE '%NameServer%'
        OR payload ILIKE '%DhcpNameServer%'
        OR payload ILIKE '%SearchList%'
        OR payload ILIKE '%DhcpDomain%'
      )
      AND (
        QIDNAME(qid) ILIKE '%registry%'
        OR QIDNAME(qid) ILIKE '%EventID: 13%'
        OR QIDNAME(qid) ILIKE '%Sysmon%'
      )
    )
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

QRadar Network Activity (flows) IBM QRadar DSM for Microsoft Windows IBM QRadar DSM for Sysmon

Required Tables

events

False Positives

Authorized corporate DNS servers or recursive resolvers not included in the NOT IN exclusion list causing high-volume false positives across all managed endpoints — the query requires org-specific tuning to enumerate all sanctioned resolver IPs before production use
QRadar DSM payload normalization differences between Windows Security Event Log and Sysmon DSM versions may cause the payload ILIKE patterns for registry key paths to miss events depending on how raw XML is stored — validate with sample events from your specific DSM version
DHCP servers legitimately writing DhcpNameServer and DhcpDomain registry values to Windows endpoints during lease assignment; these events will match the registry branch of the OR condition and require suppression by source process (svchost.exe spawned by DHCP service)

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode in ("3","13","22") or event_id in ("3","13","22")
// Parse Sysmon network event fields (Event ID 3)
| parse regex field=_raw "(?i)DestinationIp: (?P<dest_ip>[\d.]+)" nodrop
| parse regex field=_raw "(?i)DestinationPort: (?P<dest_port>\d+)" nodrop
| parse regex field=_raw "(?i)Image: (?P<proc_image>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)User: (?P<evt_user>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)CommandLine: (?P<cmd_line>[^\r\n]+)" nodrop
// Parse Sysmon registry event fields (Event ID 13)
| parse regex field=_raw "(?i)TargetObject: (?P<reg_key>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)Details: (?P<reg_value>[^\r\n]+)" nodrop
// Parse Sysmon DNS query fields (Event ID 22)
| parse regex field=_raw "(?i)QueryName: (?P<dns_query_name>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)QueryResults: (?P<query_results>[^\r\n]+)" nodrop
| if(!isNull(EventCode), EventCode, event_id) as sysmon_event_id
// Classify and filter events
| where
  (
    sysmon_event_id = "3"
    AND dest_port = "53"
    AND !isNull(dest_ip)
    AND dest_ip not in ("8.8.8.8","8.8.4.4","1.1.1.1","1.0.0.1","9.9.9.9")
    AND !isPrivateIP(dest_ip)
  )
  OR
  (
    sysmon_event_id = "13"
    AND !isNull(reg_key)
    AND reg_key matches /.*\\Services\\Tcpip\\Parameters.*/
    AND (
      reg_key matches /.*NameServer.*/
      OR reg_key matches /.*DhcpNameServer.*/
      OR reg_key matches /.*SearchList.*/
      OR reg_key matches /.*DhcpDomain.*/
    )
  )
| if(sysmon_event_id="3", "Rogue DNS Server Query",
    if(sysmon_event_id="13", "DNS Registry Config Changed", "DNS Query Resolved")) as indicator
| if(indicator="Rogue DNS Server Query", 1, 0) as rogue_server
| if(indicator="DNS Registry Config Changed", 1, 0) as config_change
| fields _messageTime, _sourceHost, evt_user, proc_image, cmd_line, dest_ip, dest_port, reg_key, reg_value, dns_query_name, query_results, indicator, rogue_server, config_change
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Collector with Sysmon (Installed Collector) Sumo Logic CSE Normalized Records Windows Event Log via Sumo Logic Agent

Required Tables

_sourceCategory matching windows/sysmon collectors

False Positives

Endpoints using enterprise DNS filtering appliances such as Cisco Umbrella's roaming client, Zscaler DNS proxy, or iboss that reroute DNS through local loopback or non-standard public IPs not in the exclusion list — isPrivateIP() only excludes RFC1918; additional exclusions may be needed for these agents' resolver IPs
Group Policy-driven DNS configuration deployments where SCCM or Intune writes NameServer or SearchList registry values to configure enterprise DNS search suffixes as part of normal endpoint management workflows
Docker Desktop or WSL2 on developer workstations that create virtual NICs with their own DNS resolver configurations, triggering DhcpNameServer registry writes when virtual adapters are initialized or network profiles switch

Google Chronicle / SecOps

yaral

rule t1584_002_dns_server_compromise {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1584.002 - DNS Server compromise via rogue DNS queries or DNS registry configuration changes"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584.002"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1584/002/"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"

  events:
    // Signal 1: Network connections to port 53 targeting non-authorized DNS resolvers
    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.target.port = 53
    not $net.target.ip = "8.8.8.8"
    not $net.target.ip = "8.8.4.4"
    not $net.target.ip = "1.1.1.1"
    not $net.target.ip = "1.0.0.1"
    not $net.target.ip = "9.9.9.9"
    not re.regex($net.target.ip, `^10\.`)
    not re.regex($net.target.ip, `^172\.(1[6-9]|2[0-9]|3[01])\.`)
    not re.regex($net.target.ip, `^192\.168\.`)
    not re.regex($net.target.ip, `^127\.`)

    // Signal 2: Registry modifications to Windows TCP/IP DNS configuration keys
    $reg.metadata.event_type = "REGISTRY_MODIFICATION"
    re.regex($reg.target.registry_key, `(?i).*\\Services\\Tcpip\\Parameters.*`)
    re.regex($reg.target.registry_value_name, `(?i)^(NameServer|DhcpNameServer|SearchList|DhcpDomain)$`)

  condition:
    $net or $reg
}

high severity medium confidence

Data Sources

Google Chronicle UDM Chronicle Forwarder with Windows Event Logs Chronicle Forwarder with Sysmon BindPlane or third-party Chronicle ingestion pipelines

Required Tables

UDM events table (network, registry event types)

False Positives

Organizations using public DNS resolvers beyond the five hardcoded IPs in the rule (e.g., Cloudflare for Teams 162.159.36.1, Quad9 variants 9.9.9.10/9.9.9.11, or ISP-assigned resolvers) will see high false-positive rates — the not $net.target.ip exclusions must be extended to cover all sanctioned resolvers before enabling alerting
Legitimate DHCP-driven DNS updates where the Windows DHCP client service (svchost.exe hosting Dhcp) writes DhcpNameServer and DhcpDomain values during normal lease acquisition; Chronicle UDM enrichment from the process context can help differentiate by checking principal.process.file.full_path
Remote IT management platforms (Ansible, SCCM, Tanium) executing DNS configuration remediation workflows that write NameServer values to Tcpip\Parameters\Interfaces as part of authorized remediation playbooks — suppression by principal.hostname patterns matching known management jump servers may be required

CrowdStrike LogScale (CQL)

cql

// Detection Part 1: Outbound DNS queries to non-authorized resolvers (Falcon NetworkConnectIP4)
#event_simpleName = "NetworkConnectIP4"
| RemotePort = 53
| RemoteAddressIP4 != /^10\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
| RemoteAddressIP4 != /^172\.(1[6-9]|2[0-9]|3[01])\.\d{1,3}\.\d{1,3}$/
| RemoteAddressIP4 != /^192\.168\.\d{1,3}\.\d{1,3}$/
| RemoteAddressIP4 != /^127\.\d{1,3}\.\d{1,3}\.\d{1,3}$/
| RemoteAddressIP4 != "8.8.8.8"
| RemoteAddressIP4 != "8.8.4.4"
| RemoteAddressIP4 != "1.1.1.1"
| RemoteAddressIP4 != "1.0.0.1"
| RemoteAddressIP4 != "9.9.9.9"
| indicator := "Rogue DNS Server Query"
| rename(field=FileName, as=ProcessName)
| table(
    columns=[_time, ComputerName, UserName, ProcessName, CommandLine,
             LocalAddressIP4, RemoteAddressIP4, RemotePort, indicator],
    limit=1000
  )

// Detection Part 2: DNS registry config changes (Falcon RegGenericValueUpdate) — run separately or union
// #event_simpleName = "RegGenericValueUpdate"
// | RegObjectName = /(?i).*\\Services\\Tcpip\\Parameters.*/
// | RegValueName = /(?i)^(NameServer|DhcpNameServer|SearchList|DhcpDomain)$/
// | indicator := "DNS Registry Config Changed"
// | rename(field=FileName, as=ProcessName)
// | table(
//     columns=[_time, ComputerName, UserName, ProcessName, CommandLine,
//              RegObjectName, RegValueName, RegStringValue, indicator],
//     limit=1000
//   )

| sort(field=_time, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (EDR) Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Humio/LogScale with Falcon event forwarding

Required Tables

NetworkConnectIP4 RegGenericValueUpdate DnsRequest

False Positives

Endpoints running local DNS resolver software such as dnscrypt-proxy, Pi-hole (if installed on endpoint), or systemd-resolved in forwarding mode that make outbound port 53 connections to non-standard upstream resolvers as part of their normal DNS resolution chain — these will appear as rogue DNS connections from the resolver process
CrowdStrike Falcon sensor's own DNS telemetry collection or CrowdStrike backend connectivity checks that make DNS queries to CrowdStrike infrastructure IPs may appear in NetworkConnectIP4 telemetry depending on sensor configuration and version
Security testing tools, network scanners (Nessus, Qualys, Rapid7), and pentest frameworks that probe remote TCP/UDP port 53 during authorized network discovery scans will generate high-volume matches against the rogue DNS detection branch

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1584.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: Domains T1584.003Virtual Private Server T1584.004Compromise Infrastructure: Server T1584.005Botnet T1584.006Web Services T1584.007Serverless T1584.008Network Devices

DNS Server

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections