Detect Virtual Private Server in Microsoft Sentinel
Adversaries may rent Virtual Private Servers (VPSs) to stage malicious infrastructure including command-and-control (C2) servers, phishing pages, payload delivery endpoints, and exfiltration destinations. VPS providers offer rapid provisioning, geographic flexibility, and—when chosen carefully—minimal registration requirements, making attribution difficult. Because VPS-hosted IPs typically carry commercial hosting ASN reputation rather than residential or known-malicious reputation, they can evade naive geo-blocking and ASN-based controls. Real-world actors documented using this technique include Gamaredon, APT28, LAPSUS$, Ember Bear (GRU Unit 29155), HAFNIUM, APT42, Moonstone Sleet, and Contagious Interview. Detection from a defender perspective focuses on three observable effects: outbound C2 beaconing FROM compromised endpoints TO VPS-hosted IPs, inbound attack traffic (scanning, exploit delivery, phishing redirectors) FROM VPS IP ranges, and identity-based signals such as authentication attempts from datacenter IP space. Because T1583.003 is a Resource Development technique (TA0042), it is not directly observable on victim endpoints—detection is necessarily inferential, relying on behavioral patterns that betray VPS-based infrastructure in use.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Sub-technique
- T1583.003 Virtual Private Server
- Canonical reference
- https://attack.mitre.org/techniques/T1583/003/
KQL Detection Query
// T1583.003 — Virtual Private Server: Detect C2 beaconing to VPS-hosted infrastructure
// Identifies non-browser processes making high-frequency repetitive outbound connections,
// enriched with Threat Intelligence indicator matches where available.
let ExcludedBrowsers = dynamic([
"chrome.exe", "firefox.exe", "msedge.exe", "microsoftedgecp.exe",
"iexplore.exe", "brave.exe", "opera.exe", "safari.exe", "waterfox.exe"
]);
let ExcludedSystemProcesses = dynamic([
"svchost.exe", "wuauclt.exe", "trustedinstaller.exe", "msiexec.exe",
"MsMpEng.exe", "ccmexec.exe", "onedrive.exe", "teams.exe"
]);
let BeaconMinConnections = 12;
let ObservationWindowMinutes = 60;
// Step 1: Find non-browser processes with high-frequency outbound public connections
let BeaconingCandidates = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where ActionType in ("ConnectionSuccess", "NetworkSignatureInspected")
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (ExcludedBrowsers)
| where InitiatingProcessFileName !in~ (ExcludedSystemProcesses)
| summarize
ConnectionCount = count(),
UniqueRemotePorts = dcount(RemotePort),
RemotePorts = make_set(RemotePort, 5),
TotalBytesSent = sum(SentBytes),
TotalBytesReceived = sum(ReceivedBytes),
FirstConnection = min(Timestamp),
LastConnection = max(Timestamp)
by DeviceName, AccountName, InitiatingProcessFileName,
InitiatingProcessCommandLine, RemoteIP,
bin(Timestamp, totimespan(strcat(tostring(ObservationWindowMinutes), "m")))
| where ConnectionCount >= BeaconMinConnections;
// Step 2: Enrich with Threat Intelligence indicators
BeaconingCandidates
| join kind=leftouter (
ThreatIntelligenceIndicator
| where TimeGenerated > ago(7d)
| where isnotempty(NetworkIP)
| summarize arg_max(TimeGenerated, *) by NetworkIP
| project TINetworkIP = NetworkIP, ThreatType, TIConfidence = ConfidenceScore,
TIDescription = Description, TIActive = Active
| where TIActive == true
) on $left.RemoteIP == $right.TINetworkIP
| extend IsTIMatch = isnotempty(TINetworkIP)
| extend ConnectionsPerMinute = round(todouble(ConnectionCount) / ObservationWindowMinutes, 2)
| extend ByteRatio = iif(TotalBytesReceived > 0,
round(todouble(TotalBytesSent) / todouble(TotalBytesReceived), 2), real(0))
| extend RiskScore = case(
IsTIMatch and ConnectionCount >= 20, 95,
IsTIMatch and ConnectionCount >= BeaconMinConnections, 80,
IsTIMatch, 65,
ConnectionCount >= 30 and UniqueRemotePorts <= 1, 60,
ConnectionCount >= 20 and UniqueRemotePorts <= 2, 45,
ConnectionCount >= BeaconMinConnections, 30,
20
)
| project
Timestamp, DeviceName, AccountName,
InitiatingProcessFileName, InitiatingProcessCommandLine,
RemoteIP, ConnectionCount, ConnectionsPerMinute,
UniqueRemotePorts, RemotePorts,
TotalBytesSent, TotalBytesReceived, ByteRatio,
IsTIMatch, ThreatType, TIConfidence, TIDescription,
RiskScore
| sort by RiskScore desc, ConnectionCount descDetects C2 beaconing patterns to VPS-hosted infrastructure by identifying non-browser, non-system processes making high-frequency repetitive outbound connections to public IP addresses over a rolling one-hour window. Results are enriched against the ThreatIntelligenceIndicator table to surface known-malicious VPS IPs and compute a composite risk score. Processes excluded include all major browsers and known Windows system processes (svchost, wuauclt, MsMpEng, Teams, OneDrive) to reduce noise from legitimate update and telemetry traffic. The byte ratio field (sent/received) can indicate C2 check-in traffic where responses are small but uploads are large. A threshold of 12 connections per hour was chosen to capture slow/jittered beacons while avoiding excessive alert volume from legitimate management agents.
Data Sources
Required Tables
False Positives & Tuning
- Software update agents (e.g., Google Update, Adobe Updater, Zoom updater) that periodically poll VPS-hosted CDN endpoints — mitigate by adding their process names to the exclusion list
- Monitoring and observability agents (Datadog, Splunk UF, Elastic Agent, SolarWinds) that beacon frequently to cloud-hosted collection endpoints on fixed intervals
- Endpoint security agents (CrowdStrike, Carbon Black, SentinelOne) that maintain persistent cloud connections with regular heartbeat patterns
- Business applications with embedded telemetry or license validation that periodically connect to vendor-hosted VPS infrastructure
- Developer workstations where IDEs, CLIs, or containers make repeated API calls to cloud development services hosted on VPS infrastructure
Other platforms for T1583.003
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beacon via PowerShell HTTP Check-in to VPS-like Endpoint
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe and CommandLine containing '-WindowStyle Hidden' and 'Invoke-WebRequest'. Sysmon Event ID 3: 15 network connections from powershell.exe to 127.0.0.1:8443 at approximately 5-second intervals. PowerShell ScriptBlock Log Event ID 4104 with the full script body.
- Test 2Simulate VPS Payload Download via LOLBin (certutil)
Expected signal: Sysmon Event ID 1: Process Create with Image=certutil.exe and CommandLine containing '-urlcache' and '-f'. Sysmon Event ID 3: Network Connection from certutil.exe to 127.0.0.1:8080. Sysmon Event ID 11: File Create attempt for %TEMP%\df00tech-vps-test.exe (may not succeed if no listener). Security Event ID 4688 (if command line auditing enabled).
- Test 3Simulate VPS-based Reconnaissance Inbound Scan Detection (nmap from localhost)
Expected signal: Linux auditd: syscall execve for nmap with full argument list. Syslog: nmap process execution. Network: TCP SYN packets to localhost ports 22, 80, 443, 3389, 8080, 8443. If monitoring inbound scan patterns on perimeter, this generates SYN packets with no corresponding application connection.
- Test 4Simulate Azure AD Authentication from VPS IP Range via PowerShell Graph API Call
Expected signal: Sysmon Event ID 1: Process Create with Image=powershell.exe. Sysmon Event ID 3: Network Connection from powershell.exe to login.microsoftonline.com:443. Sysmon Event ID 22 (DNS Query): DNS resolution of login.microsoftonline.com. PowerShell ScriptBlock Log Event ID 4104.
References (12)
- https://attack.mitre.org/techniques/T1583/003/
- https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
- https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
- https://threatconnect.com/blog/infrastructure-research-hunting/
- https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a
- https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://unit42.paloaltonetworks.com/unit-42-gamaredon-group-russia-linked/
- https://www.sentinelone.com/labs/winter-vivern-all-you-need-is-one-side-loading-and-a-good-lure/
- https://www.ic3.gov/Media/News/2022/220211.pdf
- https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
Unlock Pro Content
Get the full detection package for T1583.003 including response playbook, investigation guide, and atomic red team tests.