title: Domains (T1583.001)
id: df00tech-t1583-001
status: experimental
description: "Adversaries may acquire domains to use during targeting. Domain names are acquired to support phishing campaigns, drive-by compromise delivery, and command and control infrastructure. Adversaries frequently register domains that visually resemble legitimate organizations using typosquatting, homoglyphs, internationalized domain names (IDNs), or different top-level domains. They may also acquire expired domains with pre-existing trust reputation. In cloud environments, adversaries with compromised credentials may use services like AWS Route53 to register domains and create hosted zones pointing to attacker-controlled infrastructure. Detection focuses on three pillars: (1) identifying queries to lookalike domains in DNS telemetry, (2) detecting cloud API calls that register or modify domain infrastructure in compromised environments, and (3) hunting for newly registered domains with structural similarity to organizational assets in network traffic."
references:
  - https://attack.mitre.org/techniques/T1583/001/
  - https://df00tech.com/detections/T1583.001
author: df00tech
date: 2026/03/13
tags:
  - attack.t1583.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate third-party SaaS products that use hyphenated domain naming conventions (e.g., acme-login.vendor.com patterns)"
  - "Security awareness phishing simulation platforms (KnowBe4, Proofpoint Security Awareness) that register lookalike domains for training campaigns"
  - Development and QA environments that create DNS zones in Azure for staging domains that mirror production naming
  - "CDN and cloud provider subdomains that contain keywords like 'secure' or 'login' as part of legitimate infrastructure (e.g., secure.cdn-provider.com)"
  - "VPN and zero-trust vendors (Zscaler, Netskope, Cloudflare) whose traffic may resolve through domains containing security-related keywords"
level: medium