T1583.004

Server

Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused. Real-world examples include GALLIUM operating Taiwan-based exclusive servers, Kimsuky purchasing hosting servers with virtual currency and prepaid cards, Sandworm Team leasing servers through resellers to obscure attribution, Earth Lusca acquiring multiple servers with distinct roles per operation, Mustard Tempest hosting second-stage SocGholish payloads on short-lived acquired servers, and CURIUM creating dedicated servers for C2 and exfiltration. Because the adversary action of acquiring the server occurs entirely outside the target environment, detection must focus on identifying the operational use of adversary-controlled server infrastructure: C2 beaconing patterns, connections to known malicious hosting infrastructure, and suspicious DNS resolution to adversary-controlled domains.

Microsoft Sentinel / Defender

kusto

// Detect potential C2 beaconing to adversary-controlled server infrastructure
// Primary strategy: regular-interval outbound connections from non-browser processes to public IPs
let TimeWindow = 24h;
let MinConnections = 10;
let KnownGoodDomains = dynamic([
  "microsoft.com", "windows.com", "windowsupdate.com", "office.com",
  "live.com", "azure.com", "microsoftonline.com", "office365.com",
  "akamaiedge.net", "akamaitechnologies.com", "cloudflare.com",
  "cloudflare-dns.com", "amazonaws.com", "googleusercontent.com",
  "googleapis.com", "apple.com", "icloud.com", "digicert.com",
  "verisign.com", "ocsp.sectigo.com", "crl.microsoft.com",
  "ctldl.windowsupdate.com", "login.microsoftonline.com"
]);
let SuspiciousProcesses = dynamic([
  "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
  "rundll32.exe", "regsvr32.exe", "mshta.exe", "certutil.exe",
  "bitsadmin.exe", "curl.exe", "wget.exe", "msiexec.exe",
  "odbcconf.exe", "wmic.exe", "msbuild.exe", "csc.exe"
]);
DeviceNetworkEvents
| where Timestamp > ago(TimeWindow)
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where not(RemoteUrl has_any (KnownGoodDomains))
| where InitiatingProcessFileName !in~ (
    "msedge.exe", "chrome.exe", "firefox.exe", "iexplore.exe",
    "opera.exe", "brave.exe", "outlook.exe", "teams.exe",
    "slack.exe", "zoom.exe", "onedrive.exe", "dropbox.exe",
    "steam.exe", "msedgewebview2.exe", "MicrosoftEdgeCP.exe"
  )
| summarize
    ConnectionCount = count(),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    DistinctPorts = dcount(RemotePort),
    Ports = make_set(RemotePort, 10),
    Processes = make_set(InitiatingProcessFileName, 5)
  by DeviceName, AccountName, RemoteIP, RemoteUrl
| where ConnectionCount >= MinConnections
| extend DurationMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| where DurationMinutes > 30
| extend AvgIntervalMinutes = toreal(DurationMinutes) / toreal(ConnectionCount)
| extend IsSuspiciousProcess = Processes has_any (SuspiciousProcesses)
| extend IsBeaconInterval = AvgIntervalMinutes between (0.5 .. 60.0)
| where IsBeaconInterval or IsSuspiciousProcess
| extend RiskScore = case(
    IsSuspiciousProcess and IsBeaconInterval, 3,
    IsSuspiciousProcess, 2,
    IsBeaconInterval and ConnectionCount > 30, 2,
    1
  )
| project
    Timestamp = LastSeen,
    DeviceName,
    AccountName,
    RemoteIP,
    RemoteUrl,
    ConnectionCount,
    DurationMinutes,
    AvgIntervalMinutes,
    DistinctPorts,
    Ports,
    Processes,
    IsSuspiciousProcess,
    IsBeaconInterval,
    RiskScore
| sort by RiskScore desc, ConnectionCount desc

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Monitoring and telemetry agents (Datadog, Elastic Agent, Splunk Universal Forwarder, Dynatrace OneAgent) making regular check-ins to cloud-hosted collection endpoints at consistent intervals
Software update mechanisms (Chocolatey, WinGet, vendor update services) polling cloud update servers not covered by the known-good domain exclusion list
Enterprise applications with cloud-hosted license servers or API backends making periodic heartbeat connections
Remote management and monitoring tools (ConnectWise, N-able, TeamViewer, Splashtop) maintaining persistent outbound management connections
Security tools performing regular threat intelligence feed updates, CRL checks, or OCSP queries to non-standard CA endpoints
DevOps pipeline agents (GitHub Actions runner, Jenkins agent, GitLab runner) polling orchestration servers at regular intervals

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationHostname="*microsoft.com" OR DestinationHostname="*windows.com"
         OR DestinationHostname="*office.com" OR DestinationHostname="*azure.com"
         OR DestinationHostname="*microsoftonline.com" OR DestinationHostname="*office365.com"
         OR DestinationHostname="*amazonaws.com" OR DestinationHostname="*cloudflare.com"
         OR DestinationHostname="*akamai*" OR DestinationHostname="*googleapi*"
         OR DestinationHostname="*digicert.com" OR DestinationHostname="*verisign.com"
         OR DestinationHostname="*ocsp.*" OR DestinationHostname="*crl.*")
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
         OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
         OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
         OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
         OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
         OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*"
         OR DestinationIp="127.*" OR DestinationIp="::1" OR DestinationIp="0:0:0:0:0:0:0:1")
    NOT (Image="*\\msedge.exe" OR Image="*\\chrome.exe" OR Image="*\\firefox.exe"
         OR Image="*\\iexplore.exe" OR Image="*\\opera.exe" OR Image="*\\brave.exe"
         OR Image="*\\outlook.exe" OR Image="*\\teams.exe" OR Image="*\\slack.exe"
         OR Image="*\\zoom.exe" OR Image="*\\onedrive.exe" OR Image="*\\msedgewebview2.exe")
| eval HourBucket=strftime(_time, "%Y-%m-%d %H:00:00")
| stats
    count as HourlyConnections,
    values(DestinationPort) as Ports
    by host, Image, DestinationIp, DestinationHostname, HourBucket
| stats
    sum(HourlyConnections) as TotalConnections,
    count as HoursActive,
    avg(HourlyConnections) as AvgPerHour,
    stdev(HourlyConnections) as StdDevPerHour,
    values(Ports) as Ports,
    min(HourBucket) as FirstSeen,
    max(HourBucket) as LastSeen
    by host, Image, DestinationIp, DestinationHostname
| where TotalConnections >= 10 AND HoursActive >= 2
| eval ConsistencyRatio=if(AvgPerHour > 0, StdDevPerHour/AvgPerHour, 99)
| eval IsSuspiciousProcess=if(match(Image, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|msiexec\.exe|wmic\.exe|msbuild\.exe)"), 1, 0)
| eval IsBeaconPattern=if(ConsistencyRatio < 0.50 AND AvgPerHour >= 0.5, 1, 0)
| eval RiskScore=IsSuspiciousProcess + IsBeaconPattern + if(TotalConnections > 50, 1, 0)
| where RiskScore >= 1
| table host, Image, DestinationIp, DestinationHostname, TotalConnections, HoursActive, AvgPerHour, ConsistencyRatio, Ports, FirstSeen, LastSeen, IsSuspiciousProcess, IsBeaconPattern, RiskScore
| sort - RiskScore, - TotalConnections

medium severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation Sysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Monitoring and telemetry agents making regular check-ins at consistent intervals to cloud-hosted backends not covered by the domain exclusion list
Software update services using non-browser processes with predictable polling schedules
Enterprise applications maintaining heartbeat connections to vendor cloud infrastructure
Security tools with consistent threat intel update cycles using curl.exe or PowerShell
Remote management tools maintaining persistent management connections from non-browser processes

IBM QRadar (AQL)

sql

SELECT
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip,
  destinationip,
  destinationport,
  "Process Name" AS ProcessName,
  username,
  COUNT(*) AS TotalConnections,
  COUNT(DISTINCT DATEFORMAT(starttime, 'yyyy-MM-dd HH')) AS HoursActive,
  DATEFORMAT(MIN(starttime), 'yyyy-MM-dd HH:mm:ss') AS FirstSeen,
  DATEFORMAT(MAX(starttime), 'yyyy-MM-dd HH:mm:ss') AS LastSeen,
  DATEDIFF(MINUTE, MIN(starttime), MAX(starttime)) AS DurationMinutes
FROM events
WHERE CATEGORYNAME(category) LIKE '%Network%'
  AND destinationip NOT INCIDR '10.0.0.0/8'
  AND destinationip NOT INCIDR '172.16.0.0/12'
  AND destinationip NOT INCIDR '192.168.0.0/16'
  AND destinationip NOT INCIDR '127.0.0.0/8'
  AND destinationip NOT INCIDR '::1/128'
  AND NOT LOWER("Destination Hostname") LIKE '%.microsoft.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.windows.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.windowsupdate.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.office.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.live.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.azure.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.microsoftonline.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.office365.com'
  AND NOT LOWER("Destination Hostname") LIKE '%akamai%'
  AND NOT LOWER("Destination Hostname") LIKE '%.cloudflare.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.amazonaws.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.googleapis.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.digicert.com'
  AND NOT LOWER("Destination Hostname") LIKE '%.verisign.com'
  AND NOT LOWER("Process Name") LIKE '%msedge.exe'
  AND NOT LOWER("Process Name") LIKE '%chrome.exe'
  AND NOT LOWER("Process Name") LIKE '%firefox.exe'
  AND NOT LOWER("Process Name") LIKE '%iexplore.exe'
  AND NOT LOWER("Process Name") LIKE '%opera.exe'
  AND NOT LOWER("Process Name") LIKE '%brave.exe'
  AND NOT LOWER("Process Name") LIKE '%outlook.exe'
  AND NOT LOWER("Process Name") LIKE '%msteams.exe'
  AND NOT LOWER("Process Name") LIKE '%slack.exe'
  AND NOT LOWER("Process Name") LIKE '%zoom.exe'
  AND NOT LOWER("Process Name") LIKE '%onedrive.exe'
  AND NOT LOWER("Process Name") LIKE '%msedgewebview2.exe'
  AND starttime > NOW() - 86400000
GROUP BY logsourceid, sourceip, destinationip, destinationport, "Process Name", username
HAVING TotalConnections >= 10 AND HoursActive >= 2
ORDER BY TotalConnections DESC

high severity medium confidence

Data Sources

Windows Sysmon via QRadar DSM Windows Security Event Log QRadar Network Activity Events

Required Tables

events

False Positives

Enterprise management platforms such as SCCM, Tanium, or Ansible performing regular check-ins to cloud-hosted management infrastructure with non-standard domain names not covered by the exclusion list
Custom in-house applications using regular polling to external REST APIs or software licensing servers where the destination domain is not a well-known CDN or cloud provider
Log shippers and SIEM forwarders such as Splunk Universal Forwarder or Elastic Beats maintaining persistent connections to external aggregation endpoints

Sumo Logic CSE

sql

_index=sec_record_network
| where !(dstDevice_ip matches "10.*"
  OR dstDevice_ip matches "172.16.*" OR dstDevice_ip matches "172.17.*"
  OR dstDevice_ip matches "172.18.*" OR dstDevice_ip matches "172.19.*"
  OR dstDevice_ip matches "172.20.*" OR dstDevice_ip matches "172.21.*"
  OR dstDevice_ip matches "172.22.*" OR dstDevice_ip matches "172.23.*"
  OR dstDevice_ip matches "172.24.*" OR dstDevice_ip matches "172.25.*"
  OR dstDevice_ip matches "172.26.*" OR dstDevice_ip matches "172.27.*"
  OR dstDevice_ip matches "172.28.*" OR dstDevice_ip matches "172.29.*"
  OR dstDevice_ip matches "172.30.*" OR dstDevice_ip matches "172.31.*"
  OR dstDevice_ip matches "192.168.*" OR dstDevice_ip matches "127.*")
| where !(dstDevice_hostname matches "*microsoft.com"
  OR dstDevice_hostname matches "*windows.com"
  OR dstDevice_hostname matches "*windowsupdate.com"
  OR dstDevice_hostname matches "*office.com"
  OR dstDevice_hostname matches "*live.com"
  OR dstDevice_hostname matches "*azure.com"
  OR dstDevice_hostname matches "*microsoftonline.com"
  OR dstDevice_hostname matches "*office365.com"
  OR dstDevice_hostname matches "*akamai*"
  OR dstDevice_hostname matches "*cloudflare.com"
  OR dstDevice_hostname matches "*amazonaws.com"
  OR dstDevice_hostname matches "*googleapis.com"
  OR dstDevice_hostname matches "*digicert.com"
  OR dstDevice_hostname matches "*verisign.com")
| where !(application matches "*msedge.exe" OR application matches "*chrome.exe"
  OR application matches "*firefox.exe" OR application matches "*iexplore.exe"
  OR application matches "*opera.exe" OR application matches "*brave.exe"
  OR application matches "*outlook.exe" OR application matches "*teams.exe"
  OR application matches "*slack.exe" OR application matches "*zoom.exe"
  OR application matches "*onedrive.exe" OR application matches "*msedgewebview2.exe")
| timeslice 1h
| stats count as HourlyConnections, values(dstPort) as Ports
    by srcDevice_hostname, application, dstDevice_ip, dstDevice_hostname, _timeslice
| stats
    sum(HourlyConnections) as TotalConnections,
    count as HoursActive,
    avg(HourlyConnections) as AvgPerHour,
    stddev(HourlyConnections) as StdDevPerHour,
    values(Ports) as Ports,
    min(_timeslice) as FirstSeen,
    max(_timeslice) as LastSeen
    by srcDevice_hostname, application, dstDevice_ip, dstDevice_hostname
| where TotalConnections >= 10 and HoursActive >= 2
| eval ConsistencyRatio = if(AvgPerHour > 0, StdDevPerHour / AvgPerHour, 99)
| eval IsSuspiciousProcess = if(application matches /(?i)(powershell|pwsh|cmd|wscript|cscript|rundll32|regsvr32|mshta|certutil|bitsadmin|curl|wget|msiexec|wmic|msbuild|csc)\.exe/, 1, 0)
| eval IsBeaconPattern = if(ConsistencyRatio < 0.5 and AvgPerHour >= 0.5, 1, 0)
| eval RiskScore = IsSuspiciousProcess + IsBeaconPattern + if(TotalConnections > 50, 1, 0)
| where RiskScore >= 1
| sort by RiskScore desc, TotalConnections desc
| fields srcDevice_hostname, application, dstDevice_ip, dstDevice_hostname, TotalConnections, HoursActive, AvgPerHour, ConsistencyRatio, Ports, FirstSeen, LastSeen, IsSuspiciousProcess, IsBeaconPattern, RiskScore

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM (CSE) Normalized Network Records Windows Sysmon via Sumo Logic Collector

Required Tables

sec_record_network

False Positives

Enterprise endpoint agents such as EDR sensors, SIEM forwarders, and IT management tools with consistent polling intervals connecting to cloud infrastructure not covered by the domain exclusion list
Custom business applications making regular REST API calls to external SaaS services where the destination domain is not a well-known CDN or major cloud provider
Developer workstations running automation scripts or CI/CD pipelines that repeatedly contact external build or artifact repositories at consistent intervals

Google Chronicle / SecOps

yaral

rule t1583_004_c2_beaconing_adversary_server {
  meta:
    author = "Detection Engineering"
    description = "Detects C2 beaconing to adversary-controlled server infrastructure - T1583.004"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1583.004"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1583/004/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    not re.regex($e.target.ip,
      `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1$|fe80:)`)
    not re.regex($e.target.hostname,
      `(?i)(microsoft\.com|windows\.com|windowsupdate\.com|office\.com|live\.com|azure\.com|microsoftonline\.com|office365\.com|akamaiedge\.net|akamaitechnologies\.com|cloudflare\.com|cloudflare-dns\.com|amazonaws\.com|googleapis\.com|apple\.com|icloud\.com|digicert\.com|verisign\.com)$`)
    not re.regex($e.principal.process.file.full_path,
      `(?i)(msedge\.exe|chrome\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|outlook\.exe|teams\.exe|slack\.exe|zoom\.exe|onedrive\.exe|msedgewebview2\.exe|microsoftedgecp\.exe)$`)
    re.regex($e.principal.process.file.full_path,
      `(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|msiexec\.exe|odbcconf\.exe|wmic\.exe|msbuild\.exe|csc\.exe)$`)
    $host = $e.principal.hostname
    $dst_ip = $e.target.ip
    $proc = $e.principal.process.file.full_path

  match:
    $host, $dst_ip, $proc over 24h

  condition:
    #e >= 10
}

high severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Endpoint Telemetry via Chronicle Forwarder Sysmon EventCode 3 via Chronicle Ingestion

Required Tables

NETWORK_CONNECTION UDM events

False Positives

LOLBin-based administrative tooling such as PowerShell monitoring scripts or certutil used for certificate operations making regular connections to partner or vendor systems that resolve to public IPs not covered by the exclusion regex
Software distribution tools invoking msiexec or similar LOLBins to download packages from vendor servers that do not use well-known CDN domains
Developer automation tools such as curl or wget invoked by scheduled tasks to poll external package registries or APIs at regular intervals

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NetworkConnectIP4
| !cidr(RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
| !regex("(?i)(msedge|chrome|firefox|iexplore|opera|brave|outlook|msteams|slack|zoom|onedrive|msedgewebview2)\\.exe", field=ImageFileName)
| IsSuspiciousProcess := if(regex("(?i)(powershell|pwsh|cmd|wscript|cscript|rundll32|regsvr32|mshta|certutil|bitsadmin|curl|wget|msiexec|wmic|msbuild|csc)\\.exe", ImageFileName), 1, 0)
| HourBucket := formatTime("%Y-%m-%d %H:00:00", field=@timestamp, timezone="UTC")
| groupBy([ComputerName, ImageFileName, RemoteAddressIP4, RemotePort, IsSuspiciousProcess, HourBucket],
    function=count(as=HourlyConnections))
| groupBy([ComputerName, ImageFileName, RemoteAddressIP4, RemotePort, IsSuspiciousProcess],
    function=[
      sum(HourlyConnections, as=TotalConnections),
      count(as=HoursActive),
      avg(HourlyConnections, as=AvgPerHour),
      stddev(HourlyConnections, as=StdDevConnections),
      min(HourBucket, as=FirstSeen),
      max(HourBucket, as=LastSeen)
    ])
| TotalConnections >= 10
| HoursActive >= 2
| ConsistencyRatio := StdDevConnections / AvgPerHour
| IsBeaconPattern := if(ConsistencyRatio < 0.5 and AvgPerHour >= 0.5, 1, 0)
| RiskScore := IsSuspiciousProcess + IsBeaconPattern + if(TotalConnections > 50, 1, 0)
| RiskScore >= 1
| sort(RiskScore, order=desc, limit=1000)
| select([ComputerName, ImageFileName, RemoteAddressIP4, RemotePort,
          TotalConnections, HoursActive, AvgPerHour, ConsistencyRatio,
          IsSuspiciousProcess, IsBeaconPattern, RiskScore, FirstSeen, LastSeen])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Telemetry

Required Tables

NetworkConnectIP4

False Positives

CrowdStrike Falcon sensor itself or other EDR agents making regular telemetry callbacks to Falcon cloud infrastructure that falls outside the CIDR exclusion ranges
PowerShell-based administrative automation such as DSC configurations or custom runbooks polling external management APIs on regular intervals from server hosts
Automated build or deployment pipelines invoking curl or msiexec to retrieve artifacts from external repositories at consistent scheduled intervals

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1583.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001Domains T1583.002DNS Server T1583.003Virtual Private Server T1583.005Botnet T1583.006Web Services T1583.007Serverless T1583.008Malvertising

Server

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections