Detect Acquire Infrastructure in Google Chronicle
This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1583/
YARA-L Detection Query
rule t1583_acquire_infrastructure_hosting_asn_auth {
meta:
author = "Detection Engineering"
description = "Detects authentication events originating from IP ranges associated with adversary-acquired infrastructure including bulletproof hosting, VPS providers, and Tor exit node ranges. Covers T1583 PRE-ATT&CK infrastructure acquisition indicators observable in authentication telemetry."
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1583"
mitre_attack_sub_technique = "T1583.003, T1583.006"
severity = "HIGH"
priority = "HIGH"
version = "1.0"
created = "2024-01-01"
reference = "https://attack.mitre.org/techniques/T1583/"
events:
$auth.metadata.event_type = "USER_LOGIN"
$auth.principal.ip != "127.0.0.1"
$auth.principal.ip != "0.0.0.0"
not net.ip_in_range_cidr($auth.principal.ip, "10.0.0.0/8")
not net.ip_in_range_cidr($auth.principal.ip, "192.168.0.0/16")
not net.ip_in_range_cidr($auth.principal.ip, "172.16.0.0/12")
(
// Known Tor exit nodes and proxy infrastructure
net.ip_in_range_cidr($auth.principal.ip, "185.220.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "185.209.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "45.83.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "194.165.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "146.70.0.0/16") or
// DigitalOcean
net.ip_in_range_cidr($auth.principal.ip, "167.71.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "104.248.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "68.183.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "159.65.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "138.197.0.0/16") or
// Hetzner Online GmbH
net.ip_in_range_cidr($auth.principal.ip, "95.217.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "116.202.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "135.181.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "65.109.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "5.9.0.0/16") or
// OVH SAS
net.ip_in_range_cidr($auth.principal.ip, "51.77.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "51.68.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "178.32.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "54.36.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "141.95.0.0/16") or
// Vultr
net.ip_in_range_cidr($auth.principal.ip, "45.32.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "66.175.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "104.156.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "207.246.0.0/16") or
// M247 bulletproof hosting
net.ip_in_range_cidr($auth.principal.ip, "194.5.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "93.115.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "92.223.0.0/16")
)
$auth.target.user.userid != ""
$auth.target.user.userid != /ANONYMOUS.*/
match:
$auth.target.user.userid over 1h
outcome:
$risk_score = max(
if(net.ip_in_range_cidr($auth.principal.ip, "185.220.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "185.209.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "194.5.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "93.115.0.0/16"), 90,
if(net.ip_in_range_cidr($auth.principal.ip, "167.71.0.0/16") or
net.ip_in_range_cidr($auth.principal.ip, "104.248.0.0/16"), 70, 55))
)
$event_count = count_distinct($auth.metadata.id)
$unique_ips = count_distinct($auth.principal.ip)
$target_user = $auth.target.user.userid
$src_ip = array_distinct($auth.principal.ip)
condition:
$auth
}Chronicle YARA-L 2.0 rule detecting USER_LOGIN events in UDM where the principal IP matches known adversary-acquired infrastructure ranges. Covers bulletproof hosting providers (M247), Tor exit node clusters, and major VPS providers (DigitalOcean, Hetzner, OVH, Vultr) used in threat actor campaigns including Kimsuky, Sea Turtle, and Agrius. Uses Chronicle's native net.ip_in_range_cidr() function for efficient CIDR matching. Risk scoring elevates Tor/proxy and bulletproof hosting to highest severity. Correlates events per user over a 1-hour window to surface persistent authentication attempts.
Data Sources
Required Tables
False Positives & Tuning
- Employees or contractors who work from regions where commercial VPN use is common for privacy or censorship circumvention, with VPN exit nodes assigned to DigitalOcean or Hetzner IP ranges — create a reference list of authorized VPN provider ASNs and exclude after HR verification.
- Cloud-hosted monitoring or ITSM platforms (e.g., PagerDuty, ServiceNow integrations) that authenticate inbound to the environment using service accounts from VPS-hosted integration layers — these should be allowlisted by service account name.
- Offshore development or managed services vendors who provision their build and deployment systems on OVH or Vultr infrastructure — authentication from these sources should be documented in vendor agreements and excluded from alerting.
Other platforms for T1583
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate VPN Infrastructure Use - DNS Enumeration of Anonymization Services
Expected signal: Sysmon Event ID 22 (DnsQuery) entries for each queried domain showing QueryName, QueryResults, and the initiating PowerShell process. Also visible in DeviceNetworkEvents (ActionType: DnsQueryResponse) in Microsoft Defender for Endpoint.
- Test 2Simulate Authentication from VPS Infrastructure via Proxied HTTP Request
Expected signal: Network connection event from the endpoint to the proxy IP. If authentication proceeds through the proxy, AADSignInLogs will record the VPS IP as the source. Sysmon Event 3 (NetworkConnect) visible for the outbound proxy connection.
- Test 3Cloud Infrastructure Provisioning via Azure CLI (Adversary Infrastructure Simulation)
Expected signal: Azure Activity Log entries: Microsoft.Compute/virtualMachines/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Resources/deployments/write. Visible in AzureActivity table in Sentinel and azure:activity sourcetype in Splunk. Also triggers Azure Security Center alerts if Defender for Cloud is enabled.
References (8)
- https://attack.mitre.org/techniques/T1583/
- https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime
- https://hunt.io/blog/sea-turtle-dns-hijacking
- https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/
- https://www.microsoft.com/security/blog/2022/10/03/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a
- https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
Unlock Pro Content
Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.