T1583 Elastic Security · Elastic

Detect Acquire Infrastructure in Elastic Security

This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Canonical reference
https://attack.mitre.org/techniques/T1583/

Elastic Detection Query

Elastic Security (Elastic)
eql 
authentication where event.outcome in ("success", "failure")
  and not source.ip in ("127.0.0.1", "::1", "0.0.0.0")
  and not cidrMatch(source.ip, "10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12", "fc00::/7", "fe80::/10")
  and (
    cidrMatch(source.ip, "185.220.0.0/16", "185.209.0.0/16", "45.83.0.0/16", "194.165.0.0/16", "146.70.0.0/16") or
    cidrMatch(source.ip, "167.71.0.0/16", "104.248.0.0/16", "68.183.0.0/16", "159.65.0.0/16", "138.197.0.0/16") or
    cidrMatch(source.ip, "95.217.0.0/16", "116.202.0.0/16", "135.181.0.0/16", "65.109.0.0/16", "5.9.0.0/16") or
    cidrMatch(source.ip, "51.77.0.0/16", "51.68.0.0/16", "178.32.0.0/16", "54.36.0.0/16", "141.95.0.0/16") or
    cidrMatch(source.ip, "45.32.0.0/16", "66.175.0.0/16", "104.156.0.0/16", "207.246.0.0/16") or
    cidrMatch(source.ip, "194.5.0.0/16", "93.115.0.0/16", "92.223.0.0/16")
  )
high severity medium confidence

Detects authentication events (successful and failed) originating from IP ranges associated with known bulletproof hosting providers, VPS providers, and residential proxy networks commonly leveraged as adversary-acquired infrastructure. Covers M247, DigitalOcean, Hetzner, OVH, Vultr, Tor exit nodes, and known proxy ranges. Alerts on logon activity from these ranges to identify adversary pre-positioning or active use of acquired external infrastructure against target identity systems.

Data Sources

Elastic SIEM / Elastic SecurityWindows Security Event Logs (via Elastic Agent or Winlogbeat)Azure AD / Okta authentication logs via Elastic integrationsNetwork flow data enriched with source IP

Required Tables

logs-system.security*logs-windows.forwarded*.ds-logs-endpoint.events.authentication*logs-azure.signinlogs*

False Positives & Tuning

  • Legitimate remote employees or contractors using commercial VPN services (e.g., NordVPN, ExpressVPN) whose exit nodes fall in DigitalOcean or Hetzner IP ranges — common for privacy-conscious workers in high-censorship regions.
  • Automated CI/CD pipelines or DevOps tooling hosted on cloud providers (GitHub Actions runners, GitLab CI, CircleCI) that authenticate against internal systems from OVH or DigitalOcean egress IPs.
  • Vendor or third-party managed services that host their infrastructure on VPS providers and authenticate via service accounts — particularly common with offshore managed security providers.
  • IT administrators using jump hosts or bastion servers provisioned in cloud providers to manage remote infrastructure, generating authentication events from VPS IP ranges.
Download portable Sigma rule (.yml)

Other platforms for T1583

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate VPN Infrastructure Use - DNS Enumeration of Anonymization Services

    Expected signal: Sysmon Event ID 22 (DnsQuery) entries for each queried domain showing QueryName, QueryResults, and the initiating PowerShell process. Also visible in DeviceNetworkEvents (ActionType: DnsQueryResponse) in Microsoft Defender for Endpoint.

  2. Test 2Simulate Authentication from VPS Infrastructure via Proxied HTTP Request

    Expected signal: Network connection event from the endpoint to the proxy IP. If authentication proceeds through the proxy, AADSignInLogs will record the VPS IP as the source. Sysmon Event 3 (NetworkConnect) visible for the outbound proxy connection.

  3. Test 3Cloud Infrastructure Provisioning via Azure CLI (Adversary Infrastructure Simulation)

    Expected signal: Azure Activity Log entries: Microsoft.Compute/virtualMachines/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Resources/deployments/write. Visible in AzureActivity table in Sentinel and azure:activity sourcetype in Splunk. Also triggers Azure Security Center alerts if Defender for Cloud is enabled.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.005BotnetT1583.006Web ServicesT1583.007ServerlessT1583.008MalvertisingT1584Compromise InfrastructureT1090ProxyT1078Valid AccountsT1110Brute ForceT1588Obtain Capabilities

Same Tactic: Resource Development

Popular Detections