T1583

Acquire Infrastructure

This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.

Microsoft Sentinel / Defender

kusto

let HostingProviderASNs = dynamic([
    9009,   // M247 Europe SRL - frequently abused bulletproof hosting
    202448, // MVPS - known bulletproof hosting
    16276,  // OVH SAS
    14061,  // DigitalOcean LLC
    63949,  // Akamai Connected Cloud (Linode)
    24940,  // Hetzner Online GmbH
    51167,  // Contabo GmbH
    47583,  // Hostinger International
    60068,  // Datacamp Limited - residential proxy
    174,    // Cogent Communications
    3257    // GTT Communications
]);
let VPNKeywords = dynamic(["vpn", "tor", "proxy", "anonymizer", "hosting", "datacenter"]);
AADSignInLogs
| where TimeGenerated >= ago(24h)
| where ResultType == "0"
| where AutonomousSystemNumber in (HostingProviderASNs)
    or NetworkLocationDetails has_any (VPNKeywords)
    or RiskEventTypes_V2 has_any ("anonymizedIPAddress", "maliciousIPAddress")
| where IPAddress !in ("127.0.0.1", "::1", "0.0.0.0")
| summarize
    SignInCount = count(),
    UniqueSourceIPs = dcount(IPAddress),
    TargetApps = make_set(AppDisplayName, 10),
    ClientApps = make_set(ClientAppUsed, 5),
    LocationDetails = make_set(tostring(LocationDetails), 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by UserPrincipalName, AutonomousSystemNumber, NetworkLocationDetails
| extend RiskScore = case(
    TargetApps has_any ("Azure Portal", "Microsoft Azure Management", "Azure Active Directory"), 9,
    UniqueSourceIPs > 5, 8,
    UniqueSourceIPs > 2, 6,
    SignInCount > 10, 5,
    4)
| where RiskScore >= 5
| project TimeGenerated = LastSeen, UserPrincipalName, RiskScore, SignInCount,
    UniqueSourceIPs, AutonomousSystemNumber, TargetApps, NetworkLocationDetails,
    FirstSeen, LastSeen
| sort by RiskScore desc, SignInCount desc

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID

Required Tables

AADSignInLogs

False Positives

Employees legitimately connecting via corporate-approved VPN services that share ASNs with commercial hosting providers
Remote developers or contractors using DigitalOcean, Hetzner, or OVH hosted jump boxes for legitimate administrative access
Automated service accounts or CI/CD pipelines running in cloud-hosted environments that authenticate to organizational APIs
Security researchers or penetration testers operating from known hosting providers during authorized engagements
Employees traveling internationally who use commercial VPN services that route through hosting provider IP ranges

Splunk

spl

index=windows sourcetype="WinEventLog:Security"
(EventCode=4624 OR EventCode=4625 OR EventCode=4648)
| eval src_ip=coalesce(IpAddress, Source_Network_Address)
| where src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1" AND isnotnull(src_ip)
| where NOT match(src_ip, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|fc00:|fe80:)")
| eval infra_category=case(
    match(src_ip, "^(185\.220\.|185\.209\.|45\.83\.|194\.165\.|146\.70\.)"), "known_tor_exit_or_proxy",
    match(src_ip, "^(167\.71\.|104\.248\.|68\.183\.|159\.65\.|138\.197\.)"), "digitalocean",
    match(src_ip, "^(95\.217\.|116\.202\.|135\.181\.|65\.109\.|5\.9\.)"), "hetzner",
    match(src_ip, "^(51\.77\.|51\.68\.|178\.32\.|54\.36\.|141\.95\.)"), "ovh",
    match(src_ip, "^(45\.32\.|66\.175\.|104\.156\.|207\.246\.)"), "vultr",
    match(src_ip, "^(194\.5\.|93\.115\.|92\.223\.)"), "m247_bulletproof",
    null())
| where isnotnull(infra_category)
| eval event_desc=case(
    EventCode=="4624", "Successful Logon",
    EventCode=="4625", "Failed Logon",
    EventCode=="4648", "Explicit Credential Logon",
    "Unknown")
| eval logon_type_desc=case(
    Logon_Type=="2", "Interactive",
    Logon_Type=="3", "Network",
    Logon_Type=="7", "Unlock",
    Logon_Type=="10", "RemoteInteractive",
    Logon_Type=="11", "CachedInteractive",
    Logon_Type)
| stats count as event_count,
    values(event_desc) as event_types,
    values(logon_type_desc) as logon_types,
    dc(src_ip) as unique_ips,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
    by Account_Name, infra_category, Workstation_Name
| where event_count >= 1
| eval threat_score=case(
    infra_category="known_tor_exit_or_proxy" AND event_count > 1, 9,
    infra_category="m247_bulletproof", 8,
    unique_ips > 3, 7,
    event_count > 10, 6,
    3)
| sort -threat_score
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(first_seen) ctime(last_seen)
| table Account_Name, infra_category, event_count, unique_ips, event_types, logon_types, threat_score, first_seen, last_seen

high severity medium confidence

Data Sources

Windows Security Event Log

Required Sourcetypes

WinEventLog:Security

False Positives

Remote workers connecting through commercial VPN services whose exit nodes share ranges with hosting providers
IT administrators using hosted jump boxes (DigitalOcean, Hetzner) for administrative tasks
Automated scripts or monitoring agents running on cloud VMs that authenticate to internal services
Security awareness testing using known proxy infrastructure
Contractors or vendors working from cloud-hosted development environments

Elastic Security (EQL)

eql

authentication where event.outcome in ("success", "failure")
  and not source.ip in ("127.0.0.1", "::1", "0.0.0.0")
  and not cidrMatch(source.ip, "10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12", "fc00::/7", "fe80::/10")
  and (
    cidrMatch(source.ip, "185.220.0.0/16", "185.209.0.0/16", "45.83.0.0/16", "194.165.0.0/16", "146.70.0.0/16") or
    cidrMatch(source.ip, "167.71.0.0/16", "104.248.0.0/16", "68.183.0.0/16", "159.65.0.0/16", "138.197.0.0/16") or
    cidrMatch(source.ip, "95.217.0.0/16", "116.202.0.0/16", "135.181.0.0/16", "65.109.0.0/16", "5.9.0.0/16") or
    cidrMatch(source.ip, "51.77.0.0/16", "51.68.0.0/16", "178.32.0.0/16", "54.36.0.0/16", "141.95.0.0/16") or
    cidrMatch(source.ip, "45.32.0.0/16", "66.175.0.0/16", "104.156.0.0/16", "207.246.0.0/16") or
    cidrMatch(source.ip, "194.5.0.0/16", "93.115.0.0/16", "92.223.0.0/16")
  )

high severity medium confidence

Data Sources

Elastic SIEM / Elastic Security Windows Security Event Logs (via Elastic Agent or Winlogbeat) Azure AD / Okta authentication logs via Elastic integrations Network flow data enriched with source IP

Required Tables

logs-system.security* logs-windows.forwarded* .ds-logs-endpoint.events.authentication* logs-azure.signinlogs*

False Positives

Legitimate remote employees or contractors using commercial VPN services (e.g., NordVPN, ExpressVPN) whose exit nodes fall in DigitalOcean or Hetzner IP ranges — common for privacy-conscious workers in high-censorship regions.
Automated CI/CD pipelines or DevOps tooling hosted on cloud providers (GitHub Actions runners, GitLab CI, CircleCI) that authenticate against internal systems from OVH or DigitalOcean egress IPs.
Vendor or third-party managed services that host their infrastructure on VPS providers and authenticate via service accounts — particularly common with offshore managed security providers.
IT administrators using jump hosts or bastion servers provisioned in cloud providers to manage remote infrastructure, generating authentication events from VPS IP ranges.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source,
  CASE
    WHEN sourceip BETWEEN LONG('185.220.0.0') AND LONG('185.220.255.255') THEN 'known_tor_exit_or_proxy'
    WHEN sourceip BETWEEN LONG('185.209.0.0') AND LONG('185.209.255.255') THEN 'known_tor_exit_or_proxy'
    WHEN sourceip BETWEEN LONG('45.83.0.0') AND LONG('45.83.255.255') THEN 'known_tor_exit_or_proxy'
    WHEN sourceip BETWEEN LONG('167.71.0.0') AND LONG('167.71.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('104.248.0.0') AND LONG('104.248.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('68.183.0.0') AND LONG('68.183.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('138.197.0.0') AND LONG('138.197.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('95.217.0.0') AND LONG('95.217.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('116.202.0.0') AND LONG('116.202.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('135.181.0.0') AND LONG('135.181.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('65.109.0.0') AND LONG('65.109.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('51.77.0.0') AND LONG('51.77.255.255') THEN 'ovh'
    WHEN sourceip BETWEEN LONG('51.68.0.0') AND LONG('51.68.255.255') THEN 'ovh'
    WHEN sourceip BETWEEN LONG('178.32.0.0') AND LONG('178.32.255.255') THEN 'ovh'
    WHEN sourceip BETWEEN LONG('45.32.0.0') AND LONG('45.32.255.255') THEN 'vultr'
    WHEN sourceip BETWEEN LONG('66.175.0.0') AND LONG('66.175.255.255') THEN 'vultr'
    WHEN sourceip BETWEEN LONG('104.156.0.0') AND LONG('104.156.255.255') THEN 'vultr'
    WHEN sourceip BETWEEN LONG('194.5.0.0') AND LONG('194.5.255.255') THEN 'm247_bulletproof'
    WHEN sourceip BETWEEN LONG('93.115.0.0') AND LONG('93.115.255.255') THEN 'm247_bulletproof'
    WHEN sourceip BETWEEN LONG('92.223.0.0') AND LONG('92.223.255.255') THEN 'm247_bulletproof'
    ELSE 'unknown'
  END AS infra_category,
  COUNT(*) AS event_count,
  COUNT(DISTINCT sourceip) AS unique_source_ips
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 253, 352)
  AND category IN (5000, 5001, 5002, 5003)
  AND starttime > NOW() - 86400000
  AND username IS NOT NULL
  AND username != '-'
  AND username != 'ANONYMOUS LOGON'
  AND NOT (sourceip BETWEEN LONG('10.0.0.0') AND LONG('10.255.255.255'))
  AND NOT (sourceip BETWEEN LONG('192.168.0.0') AND LONG('192.168.255.255'))
  AND NOT (sourceip BETWEEN LONG('172.16.0.0') AND LONG('172.31.255.255'))
  AND NOT sourceip IN (LONG('127.0.0.1'))
GROUP BY username, infra_category, sourceip
HAVING
  infra_category != 'unknown'
  AND event_count >= 1
ORDER BY
  CASE infra_category
    WHEN 'm247_bulletproof' THEN 1
    WHEN 'known_tor_exit_or_proxy' THEN 2
    WHEN 'digitalocean' THEN 3
    WHEN 'hetzner' THEN 4
    WHEN 'ovh' THEN 5
    WHEN 'vultr' THEN 6
    ELSE 7
  END ASC,
  event_count DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Logs (EventCode 4624, 4625, 4648) via QRadar WinCollect or Syslog Active Directory / LDAP authentication events Network authentication flows

Required Tables

events

False Positives

Security researchers or red team operators using VPS instances for legitimate authorized penetration testing — these should be documented in a known-good IP allowlist maintained by the security team.
Remote workers routing through corporate VPN concentrators hosted in cloud providers (DigitalOcean, OVH, Hetzner) — common for organizations using cloud-hosted VPN gateways rather than on-premises appliances.
Automated monitoring or alerting systems hosted in cloud environments that authenticate to on-premises resources to pull metrics or push alerts — service account authentication from cloud-hosted monitoring agents.

Sumo Logic CSE

sql

_sourceCategory="windows/security" ("EventCode=4624" OR "EventCode=4625" OR "EventCode=4648")
| parse "EventCode=*\n" as event_code
| parse "Account Name:\t*\n" as account_name nodrop
| parse "Account Name:\t\t*\n" as account_name nodrop
| parse "Network Information:\n\t\tWorkstation Name:\t*\n" as workstation_name nodrop
| parse "Network Information:\n\t\tSource Network Address:\t*\n" as src_ip nodrop
| parse "Source Network Address:\t*\n" as src_ip nodrop
| where src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1" AND !isNull(src_ip)
| where !(src_ip matches "10.*" OR src_ip matches "192.168.*" OR src_ip matches "172.16.*" OR src_ip matches "172.17.*" OR src_ip matches "172.18.*" OR src_ip matches "172.19.*" OR src_ip matches "172.20.*" OR src_ip matches "172.21.*" OR src_ip matches "172.22.*" OR src_ip matches "172.23.*" OR src_ip matches "172.24.*" OR src_ip matches "172.25.*" OR src_ip matches "172.26.*" OR src_ip matches "172.27.*" OR src_ip matches "172.28.*" OR src_ip matches "172.29.*" OR src_ip matches "172.30.*" OR src_ip matches "172.31.*")
| eval infra_category = if(src_ip matches "185.220.*" OR src_ip matches "185.209.*" OR src_ip matches "45.83.*", "known_tor_exit_or_proxy",
    if(src_ip matches "167.71.*" OR src_ip matches "104.248.*" OR src_ip matches "68.183.*" OR src_ip matches "159.65.*" OR src_ip matches "138.197.*", "digitalocean",
    if(src_ip matches "95.217.*" OR src_ip matches "116.202.*" OR src_ip matches "135.181.*" OR src_ip matches "65.109.*" OR src_ip matches "5.9.*", "hetzner",
    if(src_ip matches "51.77.*" OR src_ip matches "51.68.*" OR src_ip matches "178.32.*" OR src_ip matches "54.36.*" OR src_ip matches "141.95.*", "ovh",
    if(src_ip matches "45.32.*" OR src_ip matches "66.175.*" OR src_ip matches "104.156.*" OR src_ip matches "207.246.*", "vultr",
    if(src_ip matches "194.5.*" OR src_ip matches "93.115.*" OR src_ip matches "92.223.*", "m247_bulletproof", "unknown"))))))
| where infra_category != "unknown"
| eval event_desc = if(event_code == "4624", "Successful Logon",
    if(event_code == "4625", "Failed Logon",
    if(event_code == "4648", "Explicit Credential Logon", "Unknown")))
| eval threat_score = if(infra_category == "known_tor_exit_or_proxy", 9,
    if(infra_category == "m247_bulletproof", 8,
    if(infra_category == "digitalocean", 6,
    if(infra_category == "hetzner", 6,
    if(infra_category == "ovh", 5,
    if(infra_category == "vultr", 5, 3))))))
| stats count as event_count,
    values(event_desc) as event_types,
    values(src_ip) as source_ips,
    min(_messageTime) as first_seen,
    max(_messageTime) as last_seen
    by account_name, infra_category, workstation_name, threat_score
| where event_count >= 1 AND account_name != "ANONYMOUS LOGON" AND !isNull(account_name)
| sort by threat_score desc, event_count desc
| formatDate(toLong(first_seen), "yyyy-MM-dd HH:mm:ss") as first_seen_fmt
| formatDate(toLong(last_seen), "yyyy-MM-dd HH:mm:ss") as last_seen_fmt
| fields account_name, infra_category, event_count, source_ips, event_types, threat_score, first_seen_fmt, last_seen_fmt, workstation_name

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Security Event Logs collected via Sumo Logic Installed Collector or Windows Event Log Source Active Directory domain controller security logs Sumo Logic CSE normalized authentication schema

Required Tables

_sourceCategory=windows/security

False Positives

Employees using commercial VPN services with exit nodes in DigitalOcean or Hetzner ranges — particularly prevalent among staff in regions with internet censorship or those using privacy tools for legitimate personal security.
Automated backup or synchronization agents deployed on cloud VPS instances that authenticate to on-premises Active Directory to access shared file resources or databases.
Software-as-a-Service vendors whose integration platforms are hosted on OVH or Vultr and authenticate against customer directories using SAML federation or OAuth — the source IP may appear as a VPS range.

Google Chronicle / SecOps

yaral

rule t1583_acquire_infrastructure_hosting_asn_auth {
  meta:
    author = "Detection Engineering"
    description = "Detects authentication events originating from IP ranges associated with adversary-acquired infrastructure including bulletproof hosting, VPS providers, and Tor exit node ranges. Covers T1583 PRE-ATT&CK infrastructure acquisition indicators observable in authentication telemetry."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583"
    mitre_attack_sub_technique = "T1583.003, T1583.006"
    severity = "HIGH"
    priority = "HIGH"
    version = "1.0"
    created = "2024-01-01"
    reference = "https://attack.mitre.org/techniques/T1583/"

  events:
    $auth.metadata.event_type = "USER_LOGIN"
    $auth.principal.ip != "127.0.0.1"
    $auth.principal.ip != "0.0.0.0"
    not net.ip_in_range_cidr($auth.principal.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($auth.principal.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($auth.principal.ip, "172.16.0.0/12")
    (
      // Known Tor exit nodes and proxy infrastructure
      net.ip_in_range_cidr($auth.principal.ip, "185.220.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "185.209.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "45.83.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "194.165.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "146.70.0.0/16") or
      // DigitalOcean
      net.ip_in_range_cidr($auth.principal.ip, "167.71.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "104.248.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "68.183.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "159.65.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "138.197.0.0/16") or
      // Hetzner Online GmbH
      net.ip_in_range_cidr($auth.principal.ip, "95.217.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "116.202.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "135.181.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "65.109.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "5.9.0.0/16") or
      // OVH SAS
      net.ip_in_range_cidr($auth.principal.ip, "51.77.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "51.68.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "178.32.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "54.36.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "141.95.0.0/16") or
      // Vultr
      net.ip_in_range_cidr($auth.principal.ip, "45.32.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "66.175.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "104.156.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "207.246.0.0/16") or
      // M247 bulletproof hosting
      net.ip_in_range_cidr($auth.principal.ip, "194.5.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "93.115.0.0/16") or
      net.ip_in_range_cidr($auth.principal.ip, "92.223.0.0/16")
    )
    $auth.target.user.userid != ""
    $auth.target.user.userid != /ANONYMOUS.*/

  match:
    $auth.target.user.userid over 1h

  outcome:
    $risk_score = max(
      if(net.ip_in_range_cidr($auth.principal.ip, "185.220.0.0/16") or
         net.ip_in_range_cidr($auth.principal.ip, "185.209.0.0/16") or
         net.ip_in_range_cidr($auth.principal.ip, "194.5.0.0/16") or
         net.ip_in_range_cidr($auth.principal.ip, "93.115.0.0/16"), 90,
      if(net.ip_in_range_cidr($auth.principal.ip, "167.71.0.0/16") or
         net.ip_in_range_cidr($auth.principal.ip, "104.248.0.0/16"), 70, 55))
    )
    $event_count = count_distinct($auth.metadata.id)
    $unique_ips = count_distinct($auth.principal.ip)
    $target_user = $auth.target.user.userid
    $src_ip = array_distinct($auth.principal.ip)

  condition:
    $auth
}

high severity medium confidence

Data Sources

Google Chronicle SIEM UDM USER_LOGIN events from Windows Active Directory Azure AD / Google Workspace identity logs ingested into Chronicle Chronicle Unified Data Model (UDM) normalized authentication telemetry

Required Tables

UDM USER_LOGIN events

False Positives

Employees or contractors who work from regions where commercial VPN use is common for privacy or censorship circumvention, with VPN exit nodes assigned to DigitalOcean or Hetzner IP ranges — create a reference list of authorized VPN provider ASNs and exclude after HR verification.
Cloud-hosted monitoring or ITSM platforms (e.g., PagerDuty, ServiceNow integrations) that authenticate inbound to the environment using service accounts from VPS-hosted integration layers — these should be allowlisted by service account name.
Offshore development or managed services vendors who provision their build and deployment systems on OVH or Vultr infrastructure — authentication from these sources should be documented in vendor agreements and excluded from alerting.

CrowdStrike LogScale (CQL)

cql

#event_simpleName = UserLogon OR #event_simpleName = UserLogonFailed OR #event_simpleName = UserLogonFailed2
| RemoteAddressIP4 = *
| RemoteAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != "0.0.0.0"
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"])
| eval infra_category = case(
    cidrMatch(field=RemoteAddressIP4, subnet=["185.220.0.0/16", "185.209.0.0/16", "45.83.0.0/16", "194.165.0.0/16", "146.70.0.0/16"]), "known_tor_exit_or_proxy",
    cidrMatch(field=RemoteAddressIP4, subnet=["167.71.0.0/16", "104.248.0.0/16", "68.183.0.0/16", "159.65.0.0/16", "138.197.0.0/16"]), "digitalocean",
    cidrMatch(field=RemoteAddressIP4, subnet=["95.217.0.0/16", "116.202.0.0/16", "135.181.0.0/16", "65.109.0.0/16", "5.9.0.0/16"]), "hetzner",
    cidrMatch(field=RemoteAddressIP4, subnet=["51.77.0.0/16", "51.68.0.0/16", "178.32.0.0/16", "54.36.0.0/16", "141.95.0.0/16"]), "ovh",
    cidrMatch(field=RemoteAddressIP4, subnet=["45.32.0.0/16", "66.175.0.0/16", "104.156.0.0/16", "207.246.0.0/16"]), "vultr",
    cidrMatch(field=RemoteAddressIP4, subnet=["194.5.0.0/16", "93.115.0.0/16", "92.223.0.0/16"]), "m247_bulletproof",
    "unknown")
| infra_category != "unknown"
| eval threat_score = case(
    infra_category = "known_tor_exit_or_proxy", 9,
    infra_category = "m247_bulletproof", 8,
    infra_category = "digitalocean", 6,
    infra_category = "hetzner", 6,
    infra_category = "ovh", 5,
    infra_category = "vultr", 5,
    3)
| groupBy([UserName, infra_category, ComputerName, threat_score], function=[
    count(as=event_count),
    count(RemoteAddressIP4, distinct=true, as=unique_source_ips),
    collect(RemoteAddressIP4, limit=10, as=source_ip_list),
    min(@timestamp, as=first_seen),
    max(@timestamp, as=last_seen)
  ])
| UserName != ""
| UserName != /(?i)anonymous/
| sort(threat_score, order=desc)
| sort(event_count, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon platform CrowdStrike Falcon sensor authentication telemetry (UserLogon, UserLogonFailed events) CrowdStrike Identity Protection (Falcon Identity Threat Detection) authentication events Windows logon telemetry collected by Falcon sensor

Required Tables

UserLogon UserLogonFailed UserLogonFailed2

False Positives

Corporate users connecting through their organization's cloud-hosted VPN concentrators on DigitalOcean or Hetzner — the Falcon sensor records the VPN egress IP as the remote address, which may match hosting provider ranges even for legitimate authenticated sessions.
Security operations center analysts using cloud-hosted jump hosts or security tooling platforms (SAST scanners, vulnerability managers) running on OVH or Vultr that initiate authenticated sessions to managed endpoints.
Legitimate IT contractors working remotely from their own infrastructure hosted on VPS providers — especially common in MSP/MSSP environments where engineers manage customer systems from cloud-based RMM platforms on Vultr or OVH.

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Acquire Infrastructure

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (8)

Same Tactic: Resource Development

Popular Detections