title: "Compromise Infrastructure: Domains (T1584.001)"
id: df00tech-t1584-001
status: experimental
description: "Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking involves changing the registration of a domain name without the original registrant's permission. Adversaries may gain access to the registrant's email account, social engineer registrar help desks, exploit renewal gaps, or compromise cloud services that manage DNS (e.g., AWS Route53, Azure DNS). Subdomain hijacking occurs when DNS entries point to non-existent or deprovisioned resources, allowing an adversary to take control of the subdomain. Domain shadowing involves creating malicious subdomains under a compromised domain while keeping existing DNS records intact, allowing the malicious subdomains to go unnoticed for extended periods."
references:
  - https://attack.mitre.org/techniques/T1584/001/
  - https://df00tech.com/detections/T1584.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1584.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate infrastructure changes by DNS administrators adding new subdomains for new services or deployments
  - CDN or cloud service onboarding that creates new CNAME records pointing to provider infrastructure
  - "Automated certificate validation records (ACME _acme-challenge TXT records) created by Let's Encrypt or similar CAs"
  - "Marketing or business development activities registering new subdomains for campaigns, microsites, or partner portals"
  - Cloud migration projects that temporarily create new DNS records pointing to new infrastructure while decommissioning old ones
level: high