T1583.003

Virtual Private Server

Adversaries may rent Virtual Private Servers (VPSs) to stage malicious infrastructure including command-and-control (C2) servers, phishing pages, payload delivery endpoints, and exfiltration destinations. VPS providers offer rapid provisioning, geographic flexibility, and—when chosen carefully—minimal registration requirements, making attribution difficult. Because VPS-hosted IPs typically carry commercial hosting ASN reputation rather than residential or known-malicious reputation, they can evade naive geo-blocking and ASN-based controls. Real-world actors documented using this technique include Gamaredon, APT28, LAPSUS$, Ember Bear (GRU Unit 29155), HAFNIUM, APT42, Moonstone Sleet, and Contagious Interview. Detection from a defender perspective focuses on three observable effects: outbound C2 beaconing FROM compromised endpoints TO VPS-hosted IPs, inbound attack traffic (scanning, exploit delivery, phishing redirectors) FROM VPS IP ranges, and identity-based signals such as authentication attempts from datacenter IP space. Because T1583.003 is a Resource Development technique (TA0042), it is not directly observable on victim endpoints—detection is necessarily inferential, relying on behavioral patterns that betray VPS-based infrastructure in use.

Microsoft Sentinel / Defender

kusto

// T1583.003 — Virtual Private Server: Detect C2 beaconing to VPS-hosted infrastructure
// Identifies non-browser processes making high-frequency repetitive outbound connections,
// enriched with Threat Intelligence indicator matches where available.
let ExcludedBrowsers = dynamic([
  "chrome.exe", "firefox.exe", "msedge.exe", "microsoftedgecp.exe",
  "iexplore.exe", "brave.exe", "opera.exe", "safari.exe", "waterfox.exe"
]);
let ExcludedSystemProcesses = dynamic([
  "svchost.exe", "wuauclt.exe", "trustedinstaller.exe", "msiexec.exe",
  "MsMpEng.exe", "ccmexec.exe", "onedrive.exe", "teams.exe"
]);
let BeaconMinConnections = 12;
let ObservationWindowMinutes = 60;
// Step 1: Find non-browser processes with high-frequency outbound public connections
let BeaconingCandidates = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "NetworkSignatureInspected")
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (ExcludedBrowsers)
| where InitiatingProcessFileName !in~ (ExcludedSystemProcesses)
| summarize
    ConnectionCount = count(),
    UniqueRemotePorts = dcount(RemotePort),
    RemotePorts = make_set(RemotePort, 5),
    TotalBytesSent = sum(SentBytes),
    TotalBytesReceived = sum(ReceivedBytes),
    FirstConnection = min(Timestamp),
    LastConnection = max(Timestamp)
  by DeviceName, AccountName, InitiatingProcessFileName,
     InitiatingProcessCommandLine, RemoteIP,
     bin(Timestamp, totimespan(strcat(tostring(ObservationWindowMinutes), "m")))
| where ConnectionCount >= BeaconMinConnections;
// Step 2: Enrich with Threat Intelligence indicators
BeaconingCandidates
| join kind=leftouter (
    ThreatIntelligenceIndicator
    | where TimeGenerated > ago(7d)
    | where isnotempty(NetworkIP)
    | summarize arg_max(TimeGenerated, *) by NetworkIP
    | project TINetworkIP = NetworkIP, ThreatType, TIConfidence = ConfidenceScore,
              TIDescription = Description, TIActive = Active
    | where TIActive == true
) on $left.RemoteIP == $right.TINetworkIP
| extend IsTIMatch = isnotempty(TINetworkIP)
| extend ConnectionsPerMinute = round(todouble(ConnectionCount) / ObservationWindowMinutes, 2)
| extend ByteRatio = iif(TotalBytesReceived > 0,
    round(todouble(TotalBytesSent) / todouble(TotalBytesReceived), 2), real(0))
| extend RiskScore = case(
    IsTIMatch and ConnectionCount >= 20, 95,
    IsTIMatch and ConnectionCount >= BeaconMinConnections, 80,
    IsTIMatch, 65,
    ConnectionCount >= 30 and UniqueRemotePorts <= 1, 60,
    ConnectionCount >= 20 and UniqueRemotePorts <= 2, 45,
    ConnectionCount >= BeaconMinConnections, 30,
    20
)
| project
    Timestamp, DeviceName, AccountName,
    InitiatingProcessFileName, InitiatingProcessCommandLine,
    RemoteIP, ConnectionCount, ConnectionsPerMinute,
    UniqueRemotePorts, RemotePorts,
    TotalBytesSent, TotalBytesReceived, ByteRatio,
    IsTIMatch, ThreatType, TIConfidence, TIDescription,
    RiskScore
| sort by RiskScore desc, ConnectionCount desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint — DeviceNetworkEvents Microsoft Sentinel — ThreatIntelligenceIndicator

Required Tables

DeviceNetworkEvents ThreatIntelligenceIndicator

False Positives

Software update agents (e.g., Google Update, Adobe Updater, Zoom updater) that periodically poll VPS-hosted CDN endpoints — mitigate by adding their process names to the exclusion list
Monitoring and observability agents (Datadog, Splunk UF, Elastic Agent, SolarWinds) that beacon frequently to cloud-hosted collection endpoints on fixed intervals
Endpoint security agents (CrowdStrike, Carbon Black, SentinelOne) that maintain persistent cloud connections with regular heartbeat patterns
Business applications with embedded telemetry or license validation that periodically connect to vendor-hosted VPS infrastructure
Developer workstations where IDEs, CLIs, or containers make repeated API calls to cloud development services hosted on VPS infrastructure

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
NOT (DestinationIp="10.*"
     OR DestinationIp="172.16.*" OR DestinationIp="172.17.*" OR DestinationIp="172.18.*"
     OR DestinationIp="172.19.*" OR DestinationIp="172.20.*" OR DestinationIp="172.21.*"
     OR DestinationIp="172.22.*" OR DestinationIp="172.23.*" OR DestinationIp="172.24.*"
     OR DestinationIp="172.25.*" OR DestinationIp="172.26.*" OR DestinationIp="172.27.*"
     OR DestinationIp="172.28.*" OR DestinationIp="172.29.*" OR DestinationIp="172.30.*"
     OR DestinationIp="172.31.*"
     OR DestinationIp="192.168.*"
     OR DestinationIp="127.*"
     OR DestinationIp="::1"
     OR DestinationIp="169.254.*")
NOT (Image="*\\chrome.exe"
     OR Image="*\\firefox.exe"
     OR Image="*\\msedge.exe"
     OR Image="*\\MicrosoftEdgeCP.exe"
     OR Image="*\\iexplore.exe"
     OR Image="*\\brave.exe"
     OR Image="*\\opera.exe"
     OR Image="*\\svchost.exe"
     OR Image="*\\MsMpEng.exe"
     OR Image="*\\wuauclt.exe"
     OR Image="*\\TrustedInstaller.exe"
     OR Image="*\\teams.exe"
     OR Image="*\\OneDrive.exe")
| bin _time span=1h
| stats
    count as ConnectionCount,
    dc(DestinationPort) as UniqueDestPorts,
    values(DestinationPort) as DestPorts,
    dc(DestinationIp) as UniqueDestIPs,
    earliest(_time) as FirstSeen,
    latest(_time) as LastSeen
  by _time, host, User, Image, CommandLine, DestinationIp
| where ConnectionCount >= 12
| eval ConnectionsPerMinute=round(ConnectionCount / 60.0, 2)
| eval BeaconRisk=case(
    ConnectionCount >= 50 AND UniqueDestPorts <= 1, "CRITICAL - Highly Regular Single-Port Beaconing",
    ConnectionCount >= 30 AND UniqueDestPorts <= 2, "HIGH - Low Port Variance Repetitive Connections",
    ConnectionCount >= 20, "MEDIUM - Elevated Outbound Connection Frequency",
    ConnectionCount >= 12, "LOW - Above Threshold Outbound Frequency",
    1=1, "INFO")
| where BeaconRisk != "INFO"
| eval RiskScore=case(
    match(BeaconRisk, "CRITICAL"), 4,
    match(BeaconRisk, "HIGH"), 3,
    match(BeaconRisk, "MEDIUM"), 2,
    1)
| table _time, host, User, Image, CommandLine, DestinationIp, ConnectionCount,
        ConnectionsPerMinute, UniqueDestPorts, DestPorts, BeaconRisk, RiskScore
| sort - RiskScore, - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Sysmon Event ID 3 (Network Connection)

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Software telemetry and update agents making periodic check-ins to cloud endpoints on fixed intervals — add process names to the NOT IMAGE exclusion block
Monitoring agents (Splunk UF, Elastic, Datadog, Zabbix) maintaining persistent heartbeat connections to cloud-hosted collection infrastructure
Remote access or VPN clients (GlobalProtect, AnyConnect) that keep persistent tunnels alive with regular keepalive packets
CI/CD tooling (Jenkins agents, GitLab runners) on developer systems that poll cloud-hosted build infrastructure at regular intervals
Backup agents (Veeam, Acronis, Commvault) performing scheduled incremental syncs to cloud storage endpoints on VPS infrastructure

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:00:00') AS WindowStart,
  sourceip AS EndpointIP,
  username AS AccountName,
  "Application" AS ProcessImage,
  destinationip AS DestinationIP,
  COUNT(*) AS ConnectionCount,
  COUNT(DISTINCT destinationport) AS UniqueDestPorts,
  MIN(DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss')) AS FirstSeen,
  MAX(DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss')) AS LastSeen,
  ROUND(COUNT(*) / 60.0, 2) AS ConnectionsPerMinute,
  CASE
    WHEN COUNT(*) >= 50 AND COUNT(DISTINCT destinationport) <= 1
      THEN 'CRITICAL - Highly Regular Single-Port Beaconing'
    WHEN COUNT(*) >= 30 AND COUNT(DISTINCT destinationport) <= 2
      THEN 'HIGH - Low Port Variance Repetitive Connections'
    WHEN COUNT(*) >= 20
      THEN 'MEDIUM - Elevated Outbound Connection Frequency'
    ELSE 'LOW - Above Threshold Outbound Frequency'
  END AS BeaconRisk
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%Sysmon%'
  AND QIDNAME(qid) ILIKE '%Network connection%'
  AND destinationip NOT LIKE '10.%'
  AND destinationip NOT LIKE '172.16.%'
  AND destinationip NOT LIKE '172.17.%'
  AND destinationip NOT LIKE '172.18.%'
  AND destinationip NOT LIKE '172.19.%'
  AND destinationip NOT LIKE '172.20.%'
  AND destinationip NOT LIKE '172.21.%'
  AND destinationip NOT LIKE '172.22.%'
  AND destinationip NOT LIKE '172.23.%'
  AND destinationip NOT LIKE '172.24.%'
  AND destinationip NOT LIKE '172.25.%'
  AND destinationip NOT LIKE '172.26.%'
  AND destinationip NOT LIKE '172.27.%'
  AND destinationip NOT LIKE '172.28.%'
  AND destinationip NOT LIKE '172.29.%'
  AND destinationip NOT LIKE '172.30.%'
  AND destinationip NOT LIKE '172.31.%'
  AND destinationip NOT LIKE '192.168.%'
  AND destinationip NOT LIKE '127.%'
  AND destinationip NOT LIKE '169.254.%'
  AND "Application" NOT ILIKE '%chrome.exe'
  AND "Application" NOT ILIKE '%firefox.exe'
  AND "Application" NOT ILIKE '%msedge.exe'
  AND "Application" NOT ILIKE '%MicrosoftEdgeCP.exe'
  AND "Application" NOT ILIKE '%iexplore.exe'
  AND "Application" NOT ILIKE '%brave.exe'
  AND "Application" NOT ILIKE '%opera.exe'
  AND "Application" NOT ILIKE '%svchost.exe'
  AND "Application" NOT ILIKE '%MsMpEng.exe'
  AND "Application" NOT ILIKE '%wuauclt.exe'
  AND "Application" NOT ILIKE '%TrustedInstaller.exe'
  AND "Application" NOT ILIKE '%msiexec.exe'
  AND "Application" NOT ILIKE '%teams.exe'
  AND "Application" NOT ILIKE '%OneDrive.exe'
  AND starttime >= NOW() - 24 HOURS
GROUP BY
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:00:00'),
  sourceip,
  username,
  "Application",
  destinationip
HAVING COUNT(*) >= 12
ORDER BY ConnectionCount DESC
LAST 24 HOURS

medium severity medium confidence

Data Sources

Microsoft Windows Sysmon (Event ID 3 - Network Connection) Windows Security Event Log forwarded via WinCollect or Syslog QRadar Network Flows (supplemental enrichment)

Required Tables

events (Sysmon DSM or Windows Log Source Type) flows (optional for byte-ratio enrichment)

False Positives

Vulnerability scanners (Tenable Nessus, Qualys scanner agent, Rapid7 InsightVM) generate large volumes of outbound connections from a single process to many IPs; these would scatter across destinations but the scanner process itself should be excluded by name or source IP.
Backup clients (Veeam, Acronis, Commvault) perform sustained high-frequency connections to cloud backup endpoints during backup windows; baseline scheduled backup times and exclude known backup process names and destination IP ranges.
Software deployment tools and patch management agents (PDQ Deploy, ManageEngine Desktop Central) connect repeatedly to distribution servers during patch cycles; correlate with change management windows to suppress.

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* EventCode=3
| where !isNull(DestinationIp)
| where !matches(DestinationIp, /^10\./) 
  AND !matches(DestinationIp, /^172\.(1[6-9]|2[0-9]|3[01])\./)
  AND !matches(DestinationIp, /^192\.168\./)
  AND !matches(DestinationIp, /^127\./)
  AND !matches(DestinationIp, /^169\.254\./)
  AND DestinationIp != "::1"
| where !matches(Image, /(?i)(chrome|firefox|msedge|MicrosoftEdgeCP|iexplore|brave|opera|safari|waterfox|svchost|MsMpEng|wuauclt|TrustedInstaller|msiexec|teams|OneDrive|ccmexec)\.exe$/)
| timeslice 1h
| count as ConnectionCount, count_distinct(DestinationPort) as UniqueDestPorts, values(DestinationPort) as DestPorts by _timeslice, Computer, User, Image, CommandLine, DestinationIp
| where ConnectionCount >= 12
| toDouble(ConnectionCount) as ConnDbl
| eval ConnectionsPerMinute = round(ConnDbl / 60, 2)
| if (ConnectionCount >= 50 AND UniqueDestPorts <= 1, "CRITICAL - Highly Regular Single-Port Beaconing",
    if (ConnectionCount >= 30 AND UniqueDestPorts <= 2, "HIGH - Low Port Variance Repetitive Connections",
      if (ConnectionCount >= 20, "MEDIUM - Elevated Outbound Connection Frequency",
        "LOW - Above Threshold Outbound Frequency"))) as BeaconRisk
| if (matches(BeaconRisk, "CRITICAL"), 4,
    if (matches(BeaconRisk, "HIGH"), 3,
      if (matches(BeaconRisk, "MEDIUM"), 2, 1))) as RiskScore
| fields _timeslice, Computer, User, Image, CommandLine, DestinationIp, ConnectionCount, ConnectionsPerMinute, UniqueDestPorts, DestPorts, BeaconRisk, RiskScore
| sort by RiskScore, ConnectionCount

medium severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (Event ID 3) Sumo Logic Cloud SIEM Enterprise normalized network events

Required Tables

Sysmon operational log (_sourceCategory=*windows*sysmon*) Cloud SIEM normalized schema (network_traffic records)

False Positives

Legitimate SaaS application sync clients (Dropbox, Box, SharePoint sync) make high-frequency keepalive connections to cloud endpoints; baseline known sync client process names and their associated destination CIDR ranges and exclude from this rule.
Database connection pool clients (Java JDBC, .NET SqlClient, Python psycopg2) cycling connections to cloud-hosted RDS or managed database endpoints appear as repeated same-destination bursts; exclude known DB client process names and destination port 1433, 3306, 5432, 5439.
CI/CD pipeline agents (Jenkins agent, GitHub Actions runner, GitLab runner) poll for work assignments at regular intervals and produce consistent beacon-like patterns; exclude runner process names and the CI/CD server IP range.

Google Chronicle / SecOps

yaral

rule t1583_003_vps_c2_beaconing {
  meta:
    author = "Detection Engineering"
    description = "Detects C2 beaconing to VPS-hosted infrastructure — repeated outbound connections from non-browser processes to the same public IP within a 1-hour window."
    mitre_attack_technique = "T1583.003"
    mitre_attack_tactic = "TA0042 - Resource Development"
    reference = "https://attack.mitre.org/techniques/T1583/003/"
    severity = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"

    // Exclude private, loopback, and link-local address space
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|169\.254\.)`)
    $e.target.ip != "::1"
    $e.target.ip != ""

    // Exclude known-safe browser processes
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome|firefox|msedge|MicrosoftEdgeCP|iexplore|brave|opera|safari|waterfox)\.exe`)

    // Exclude common noisy system processes
    not re.regex($e.principal.process.file.full_path, `(?i)(svchost|MsMpEng|wuauclt|TrustedInstaller|msiexec|ccmexec|teams|OneDrive)\.exe`)

    // Bind aggregation dimensions
    $hostname = $e.principal.hostname
    $process  = $e.principal.process.file.full_path
    $dest_ip  = $e.target.ip

  match:
    $hostname, $process, $dest_ip over 1h

  outcome:
    $connection_count  = count($e.metadata.id)
    $unique_dest_ports = count_distinct($e.target.port)
    $sample_cmdline    = array_distinct($e.principal.process.command_line)[0]
    $risk_score = if(
      $connection_count >= 50 and $unique_dest_ports <= 1, 95,
      if($connection_count >= 30 and $unique_dest_ports <= 2, 75,
        if($connection_count >= 20, 55, 30)
      )
    )
    $beacon_risk = if(
      $connection_count >= 50 and $unique_dest_ports <= 1,
      "CRITICAL - Highly Regular Single-Port Beaconing",
      if($connection_count >= 30 and $unique_dest_ports <= 2,
        "HIGH - Low Port Variance Repetitive Connections",
        if($connection_count >= 20,
          "MEDIUM - Elevated Outbound Connection Frequency",
          "LOW - Above Threshold Outbound Frequency"
        )
      )
    )

  condition:
    $e and $connection_count >= 12
}

medium severity medium confidence

Data Sources

Chronicle UDM NETWORK_CONNECTION events from endpoint agents Sysmon Event ID 3 parsed by Chronicle Windows Sysmon parser CrowdStrike Falcon or Carbon Black EDR forwarded to Chronicle

Required Tables

UDM events (metadata.event_type = NETWORK_CONNECTION) Entity graph (principal.hostname, principal.process.file.full_path)

False Positives

Application performance monitoring (APM) agents such as AppDynamics, Dynatrace OneAgent, and New Relic APM make continuous high-frequency connections to their SaaS collectors; these agents run from non-browser process paths and will match this rule — exclude by process path regex after confirming the destination IP belongs to the APM vendor.
Custom keepalive probes embedded in legacy in-house applications that heartbeat to a load balancer or health-check endpoint every few seconds will accumulate rapidly; identify via process name and correlate with application inventory to create targeted exclusions.
Remote management and RMM agents (ConnectWise Automate ltsvc.exe, Kaseya, AnyDesk, TeamViewer) maintain persistent connections and reconnect frequently; correlate with IT asset management data and exclude approved RMM process hashes.

CrowdStrike LogScale (CQL)

cql

// T1583.003 — VPS C2 Beaconing: repeated outbound connections from non-browser processes
#event_simpleName=NetworkConnectIP4

// Exclude RFC 1918, loopback, and link-local
| !match(RemoteAddressIP4, regex="^(10\\.|172\\.(1[6-9]|2[0-9]|3[01])\\.|192\.168\\.|127\\.|169\.254\\.)")
| RemoteAddressIP4 != "::1"

// Exclude browsers and noisy system processes
| !match(ImageFileName, regex="(?i)(chrome|firefox|msedge|MicrosoftEdgeCP|iexplore|brave|opera|safari|waterfox|svchost|MsMpEng|wuauclt|TrustedInstaller|msiexec|ccmexec|teams|OneDrive)\.exe$")

// Aggregate connections per host/user/process/destination within 1-hour buckets
| bucket(field=@timestamp, span=1h)
| groupBy(
    [ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4, @timestamp],
    function=[
      count(as=ConnectionCount),
      count(RemotePort, distinct=true, as=UniqueRemotePorts)
    ]
  )

// Apply minimum connection threshold (beacon filter)
| ConnectionCount >= 12

// Compute connections-per-minute rate
| ConnectionsPerMinute := round(ConnectionCount / 60.0, 2)

// Assign beacon risk tier
| BeaconRisk := case {
    ConnectionCount >= 50 AND UniqueRemotePorts <= 1 => "CRITICAL - Highly Regular Single-Port Beaconing",
    ConnectionCount >= 30 AND UniqueRemotePorts <= 2 => "HIGH - Low Port Variance Repetitive Connections",
    ConnectionCount >= 20                            => "MEDIUM - Elevated Outbound Connection Frequency",
    *                                                => "LOW - Above Threshold Outbound Frequency"
  }

// Assign numeric risk score for sorting
| RiskScore := case {
    BeaconRisk = "CRITICAL - Highly Regular Single-Port Beaconing"    => 4,
    BeaconRisk = "HIGH - Low Port Variance Repetitive Connections"     => 3,
    BeaconRisk = "MEDIUM - Elevated Outbound Connection Frequency"     => 2,
    *                                                                   => 1
  }

| sort(RiskScore, ConnectionCount, order=desc)
| select([ComputerName, UserName, ImageFileName, CommandLine, RemoteAddressIP4,
          ConnectionCount, ConnectionsPerMinute, UniqueRemotePorts,
          BeaconRisk, RiskScore, @timestamp])

medium severity medium confidence

Data Sources

CrowdStrike Falcon EDR (NetworkConnectIP4 events via #event_simpleName) Falcon Data Replicator (FDR) streaming to LogScale CrowdStrike Humio/LogScale SIEM connector

Required Tables

Falcon endpoint events (NetworkConnectIP4) ProcessRollup2 (optional join for additional process context)

False Positives

CrowdStrike Falcon sensor itself and other endpoint security agents (Carbon Black, SentinelOne) generate frequent internal telemetry connections; however, these are typically excluded by the process name filter — confirm the sensor process names are covered in the exclusion regex and update as product versions change.
Developer workstations running Docker Desktop, Kubernetes, or local service meshes generate high-frequency connections to localhost-forwarded ports that may appear as repeated connections to specific IPs; review destination IPs in alerts and exclude known developer toolchain destinations.
Automated test frameworks (Selenium Grid, Playwright test runners, JMeter load generators) running on endpoint devices produce rapid repetitive outbound connections as part of normal test execution; correlate with CI/CD schedules and exclude test-runner process names in non-production environments.

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1583.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001Domains T1583.002DNS Server T1583.004Server T1583.005Botnet T1583.006Web Services T1583.007Serverless T1583.008Malvertising

Virtual Private Server

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections