T1583.004 Splunk · SPL

Detect Server in Splunk

Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused. Real-world examples include GALLIUM operating Taiwan-based exclusive servers, Kimsuky purchasing hosting servers with virtual currency and prepaid cards, Sandworm Team leasing servers through resellers to obscure attribution, Earth Lusca acquiring multiple servers with distinct roles per operation, Mustard Tempest hosting second-stage SocGholish payloads on short-lived acquired servers, and CURIUM creating dedicated servers for C2 and exfiltration. Because the adversary action of acquiring the server occurs entirely outside the target environment, detection must focus on identifying the operational use of adversary-controlled server infrastructure: C2 beaconing patterns, connections to known malicious hosting infrastructure, and suspicious DNS resolution to adversary-controlled domains.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Sub-technique
T1583.004 Server
Canonical reference
https://attack.mitre.org/techniques/T1583/004/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
    NOT (DestinationHostname="*microsoft.com" OR DestinationHostname="*windows.com"
         OR DestinationHostname="*office.com" OR DestinationHostname="*azure.com"
         OR DestinationHostname="*microsoftonline.com" OR DestinationHostname="*office365.com"
         OR DestinationHostname="*amazonaws.com" OR DestinationHostname="*cloudflare.com"
         OR DestinationHostname="*akamai*" OR DestinationHostname="*googleapi*"
         OR DestinationHostname="*digicert.com" OR DestinationHostname="*verisign.com"
         OR DestinationHostname="*ocsp.*" OR DestinationHostname="*crl.*")
    NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="172.17.*"
         OR DestinationIp="172.18.*" OR DestinationIp="172.19.*" OR DestinationIp="172.20.*"
         OR DestinationIp="172.21.*" OR DestinationIp="172.22.*" OR DestinationIp="172.23.*"
         OR DestinationIp="172.24.*" OR DestinationIp="172.25.*" OR DestinationIp="172.26.*"
         OR DestinationIp="172.27.*" OR DestinationIp="172.28.*" OR DestinationIp="172.29.*"
         OR DestinationIp="172.30.*" OR DestinationIp="172.31.*" OR DestinationIp="192.168.*"
         OR DestinationIp="127.*" OR DestinationIp="::1" OR DestinationIp="0:0:0:0:0:0:0:1")
    NOT (Image="*\\msedge.exe" OR Image="*\\chrome.exe" OR Image="*\\firefox.exe"
         OR Image="*\\iexplore.exe" OR Image="*\\opera.exe" OR Image="*\\brave.exe"
         OR Image="*\\outlook.exe" OR Image="*\\teams.exe" OR Image="*\\slack.exe"
         OR Image="*\\zoom.exe" OR Image="*\\onedrive.exe" OR Image="*\\msedgewebview2.exe")
| eval HourBucket=strftime(_time, "%Y-%m-%d %H:00:00")
| stats
    count as HourlyConnections,
    values(DestinationPort) as Ports
    by host, Image, DestinationIp, DestinationHostname, HourBucket
| stats
    sum(HourlyConnections) as TotalConnections,
    count as HoursActive,
    avg(HourlyConnections) as AvgPerHour,
    stdev(HourlyConnections) as StdDevPerHour,
    values(Ports) as Ports,
    min(HourBucket) as FirstSeen,
    max(HourBucket) as LastSeen
    by host, Image, DestinationIp, DestinationHostname
| where TotalConnections >= 10 AND HoursActive >= 2
| eval ConsistencyRatio=if(AvgPerHour > 0, StdDevPerHour/AvgPerHour, 99)
| eval IsSuspiciousProcess=if(match(Image, "(?i)(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|rundll32\.exe|regsvr32\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe|msiexec\.exe|wmic\.exe|msbuild\.exe)"), 1, 0)
| eval IsBeaconPattern=if(ConsistencyRatio < 0.50 AND AvgPerHour >= 0.5, 1, 0)
| eval RiskScore=IsSuspiciousProcess + IsBeaconPattern + if(TotalConnections > 50, 1, 0)
| where RiskScore >= 1
| table host, Image, DestinationIp, DestinationHostname, TotalConnections, HoursActive, AvgPerHour, ConsistencyRatio, Ports, FirstSeen, LastSeen, IsSuspiciousProcess, IsBeaconPattern, RiskScore
| sort - RiskScore, - TotalConnections
medium severity medium confidence

Detects potential C2 beaconing to adversary-controlled server infrastructure using Sysmon Event ID 3 (Network Connection). Aggregates outbound connections by destination IP per hour, then computes a consistency ratio (standard deviation divided by mean) across active hours to identify automated beaconing patterns. Low consistency ratios indicate machine-driven regularity rather than human-initiated traffic. Filters out common browsers, known-good cloud providers, and RFC1918 private ranges. A low ConsistencyRatio combined with a suspicious initiating process yields the highest RiskScore and highest confidence for adversary C2 activity.

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationSysmon Event ID 3

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Monitoring and telemetry agents making regular check-ins at consistent intervals to cloud-hosted backends not covered by the domain exclusion list
  • Software update services using non-browser processes with predictable polling schedules
  • Enterprise applications maintaining heartbeat connections to vendor cloud infrastructure
  • Security tools with consistent threat intel update cycles using curl.exe or PowerShell
  • Remote management tools maintaining persistent management connections from non-browser processes
Download portable Sigma rule (.yml)

Other platforms for T1583.004

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate C2 Beacon Check-in with Regular Interval Callback

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with the above CommandLine. Sysmon Event ID 3: Five Network Connection events to 127.0.0.1:8888 at approximately 30-second intervals from powershell.exe. If targeting a real test server: firewall and proxy logs showing repeated outbound connections from powershell.exe to the test server IP at regular intervals. Windows PowerShell ScriptBlock Log Event ID 4104 capturing the Invoke-WebRequest command.

  2. Test 2DNS Query Pattern Consistent with Adversary-Controlled Server Domain

    Expected signal: Sysmon Event ID 22: DNS Query events for each of the five domains, showing QueryName, QueryStatus (most will return NXDOMAIN or error since these are test domains), and the querying process image path (powershell.exe). Windows DNS Client Operational log (Microsoft-Windows-DNS-Client/Operational Event ID 3008) may additionally capture failed lookup events.

  3. Test 3Outbound Connection to Non-Standard C2 Ports from LOLBin

    Expected signal: Sysmon Event ID 3: Network connection attempt events from powershell.exe to 127.0.0.1 on ports 4444, 8080, and 8443. Note: Sysmon typically logs connection attempts even when the connection is refused (no listener). Sysmon Event ID 1: Process Create for the powershell.exe instance. For testing with a real server running nc -lvp 4444 or similar: successful connection events with DestinationIp and DestinationPort fields populated.

  4. Test 4Scheduled Task Persistence Simulating C2 Callback Persistence Mechanism

    Expected signal: Security Event ID 4698: A scheduled task was created — captures task name (WindowsNetworkHealth), task content, and creating user. Sysmon Event ID 1: Process Create for schtasks.exe with the /Create parameters. When the task executes: Sysmon Event ID 1 for powershell.exe spawned by svchost.exe (Task Scheduler service) with parent command line referencing taskhost/taskhostw, carrying the -NoProfile -WindowStyle Hidden flags. Sysmon Event ID 3: Network connection from task-spawned powershell.exe to 127.0.0.1:8888.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1583.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1583Acquire Infrastructure

Related Sub-techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.005BotnetT1583.006Web ServicesT1583.007ServerlessT1583.008Malvertising

Related Techniques

T1583Acquire InfrastructureT1583.003Virtual Private ServerT1584.004Compromise Infrastructure: ServerT1071.001Web ProtocolsT1071.004DNST1095Non-Application Layer ProtocolT1090.004Domain FrontingT1566PhishingT1189Drive-by CompromiseT1105Ingress Tool TransferT1053.005Scheduled Task

Same Tactic: Resource Development

Popular Detections