T1584.002 Sumo Logic CSE · Sumo

Detect DNS Server in Sumo Logic CSE

Adversaries may compromise third-party DNS servers to support operations. By gaining control over DNS infrastructure, adversaries can alter DNS records to redirect organizational traffic, facilitate credential harvesting, or redirect users to adversary-controlled infrastructure mimicking legitimate services. This technique is used by threat actors including Sea Turtle and LAPSUS$, who modified NS records and DNS configurations to intercept traffic at scale. Unlike acquiring new DNS infrastructure (T1583.002), this involves compromising existing, trusted DNS servers — making detection harder due to the perceived legitimacy of the infrastructure.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Sub-technique
T1584.002 DNS Server
Canonical reference
https://attack.mitre.org/techniques/T1584/002/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*endpoint*)
| where EventCode in ("3","13","22") or event_id in ("3","13","22")
// Parse Sysmon network event fields (Event ID 3)
| parse regex field=_raw "(?i)DestinationIp: (?P<dest_ip>[\d.]+)" nodrop
| parse regex field=_raw "(?i)DestinationPort: (?P<dest_port>\d+)" nodrop
| parse regex field=_raw "(?i)Image: (?P<proc_image>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)User: (?P<evt_user>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)CommandLine: (?P<cmd_line>[^\r\n]+)" nodrop
// Parse Sysmon registry event fields (Event ID 13)
| parse regex field=_raw "(?i)TargetObject: (?P<reg_key>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)Details: (?P<reg_value>[^\r\n]+)" nodrop
// Parse Sysmon DNS query fields (Event ID 22)
| parse regex field=_raw "(?i)QueryName: (?P<dns_query_name>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)QueryResults: (?P<query_results>[^\r\n]+)" nodrop
| if(!isNull(EventCode), EventCode, event_id) as sysmon_event_id
// Classify and filter events
| where
  (
    sysmon_event_id = "3"
    AND dest_port = "53"
    AND !isNull(dest_ip)
    AND dest_ip not in ("8.8.8.8","8.8.4.4","1.1.1.1","1.0.0.1","9.9.9.9")
    AND !isPrivateIP(dest_ip)
  )
  OR
  (
    sysmon_event_id = "13"
    AND !isNull(reg_key)
    AND reg_key matches /.*\\Services\\Tcpip\\Parameters.*/
    AND (
      reg_key matches /.*NameServer.*/
      OR reg_key matches /.*DhcpNameServer.*/
      OR reg_key matches /.*SearchList.*/
      OR reg_key matches /.*DhcpDomain.*/
    )
  )
| if(sysmon_event_id="3", "Rogue DNS Server Query",
    if(sysmon_event_id="13", "DNS Registry Config Changed", "DNS Query Resolved")) as indicator
| if(indicator="Rogue DNS Server Query", 1, 0) as rogue_server
| if(indicator="DNS Registry Config Changed", 1, 0) as config_change
| fields _messageTime, _sourceHost, evt_user, proc_image, cmd_line, dest_ip, dest_port, reg_key, reg_value, dns_query_name, query_results, indicator, rogue_server, config_change
| sort by _messageTime desc
high severity medium confidence

Sumo Logic query targeting Sysmon Event IDs 3 (NetworkConnect), 13 (RegistryValueSet), and 22 (DNSQuery) from Windows/Sysmon source categories. Applies regex field extraction to surface DNS queries to non-RFC1918, non-authorized resolvers on port 53 and registry write events to HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters DNS value names. Uses isPrivateIP() built-in for RFC1918 exclusion.

Data Sources

Sumo Logic Collector with Sysmon (Installed Collector)Sumo Logic CSE Normalized RecordsWindows Event Log via Sumo Logic Agent

Required Tables

_sourceCategory matching windows/sysmon collectors

False Positives & Tuning

  • Endpoints using enterprise DNS filtering appliances such as Cisco Umbrella's roaming client, Zscaler DNS proxy, or iboss that reroute DNS through local loopback or non-standard public IPs not in the exclusion list — isPrivateIP() only excludes RFC1918; additional exclusions may be needed for these agents' resolver IPs
  • Group Policy-driven DNS configuration deployments where SCCM or Intune writes NameServer or SearchList registry values to configure enterprise DNS search suffixes as part of normal endpoint management workflows
  • Docker Desktop or WSL2 on developer workstations that create virtual NICs with their own DNS resolver configurations, triggering DhcpNameServer registry writes when virtual adapters are initialized or network profiles switch
Download portable Sigma rule (.yml)

Other platforms for T1584.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Configure Rogue DNS Server via Registry

    Expected signal: Sysmon Event ID 13 (Registry Value Set): TargetObject containing 'Tcpip\Parameters\Interfaces' and RegistryValueName 'NameServer', with Details '127.0.0.1', Image=reg.exe. Security Event ID 4657 (if object access auditing is enabled for registry). The initiating process reg.exe is unusual for a NameServer modification — legitimate changes come from svchost.exe (DHCP client).

  2. Test 2Direct DNS Query to Rogue Resolver

    Expected signal: Sysmon Event ID 3 (Network Connection): DestinationIp=8.8.8.8, DestinationPort=53, Image=nslookup.exe. Sysmon Event ID 22 (DNS Query): QueryName=microsoft.com, Image=nslookup.exe. If 8.8.8.8 is not in the authorized DNS list, the DeviceNetworkEvents alert fires.

  3. Test 3Modify DNS Server via PowerShell

    Expected signal: Sysmon Event ID 1 (Process Create): Image=powershell.exe, CommandLine containing 'Set-DnsClientServerAddress' and 'ServerAddresses'. Sysmon Event ID 13 (Registry Value Set): TargetObject under Tcpip\Parameters\Interfaces with NameServer value changed, Image=powershell.exe. PowerShell ScriptBlock Logging Event ID 4104 with full command content.

  4. Test 4DNS Query to Multiple Non-Authorized Resolvers

    Expected signal: Three separate Sysmon Event ID 3 (Network Connection) events: DestinationPort=53 to 8.8.8.8, 1.1.1.1, and 9.9.9.9 respectively, Image=nslookup.exe. Three Sysmon Event ID 22 (DNS Query) events for example.com. Sysmon Event ID 1 for cmd.exe and nslookup.exe process creations.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1584.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1584Compromise Infrastructure

Related Sub-techniques

T1584.001Compromise Infrastructure: DomainsT1584.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1584.005BotnetT1584.006Web ServicesT1584.007ServerlessT1584.008Network Devices

Related Techniques

T1584Compromise InfrastructureT1583.002DNS ServerT1071.004DNST1557Adversary-in-the-MiddleT1539Steal Web Session CookieT1588.004Digital CertificatesT1136.003Cloud AccountT1556Modify Authentication ProcessT1568Dynamic Resolution

Same Tactic: Resource Development

Popular Detections