T1583 CrowdStrike LogScale · LogScale

Detect Acquire Infrastructure in CrowdStrike LogScale

This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Canonical reference
https://attack.mitre.org/techniques/T1583/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = UserLogon OR #event_simpleName = UserLogonFailed OR #event_simpleName = UserLogonFailed2
| RemoteAddressIP4 = *
| RemoteAddressIP4 != "127.0.0.1"
| RemoteAddressIP4 != "0.0.0.0"
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"])
| eval infra_category = case(
    cidrMatch(field=RemoteAddressIP4, subnet=["185.220.0.0/16", "185.209.0.0/16", "45.83.0.0/16", "194.165.0.0/16", "146.70.0.0/16"]), "known_tor_exit_or_proxy",
    cidrMatch(field=RemoteAddressIP4, subnet=["167.71.0.0/16", "104.248.0.0/16", "68.183.0.0/16", "159.65.0.0/16", "138.197.0.0/16"]), "digitalocean",
    cidrMatch(field=RemoteAddressIP4, subnet=["95.217.0.0/16", "116.202.0.0/16", "135.181.0.0/16", "65.109.0.0/16", "5.9.0.0/16"]), "hetzner",
    cidrMatch(field=RemoteAddressIP4, subnet=["51.77.0.0/16", "51.68.0.0/16", "178.32.0.0/16", "54.36.0.0/16", "141.95.0.0/16"]), "ovh",
    cidrMatch(field=RemoteAddressIP4, subnet=["45.32.0.0/16", "66.175.0.0/16", "104.156.0.0/16", "207.246.0.0/16"]), "vultr",
    cidrMatch(field=RemoteAddressIP4, subnet=["194.5.0.0/16", "93.115.0.0/16", "92.223.0.0/16"]), "m247_bulletproof",
    "unknown")
| infra_category != "unknown"
| eval threat_score = case(
    infra_category = "known_tor_exit_or_proxy", 9,
    infra_category = "m247_bulletproof", 8,
    infra_category = "digitalocean", 6,
    infra_category = "hetzner", 6,
    infra_category = "ovh", 5,
    infra_category = "vultr", 5,
    3)
| groupBy([UserName, infra_category, ComputerName, threat_score], function=[
    count(as=event_count),
    count(RemoteAddressIP4, distinct=true, as=unique_source_ips),
    collect(RemoteAddressIP4, limit=10, as=source_ip_list),
    min(@timestamp, as=first_seen),
    max(@timestamp, as=last_seen)
  ])
| UserName != ""
| UserName != /(?i)anonymous/
| sort(threat_score, order=desc)
| sort(event_count, order=desc)
high severity medium confidence

CrowdStrike LogScale (Humio) query detecting UserLogon and UserLogonFailed events where the remote source IP matches known adversary-acquired infrastructure ranges. Classifies source IPs against CIDR blocks for Tor exit nodes, M247 bulletproof hosting, DigitalOcean, Hetzner, OVH, and Vultr. Uses LogScale's cidrMatch() function for efficient range lookups. Groups results by user, infrastructure category, and host to surface accounts authenticating from known threat actor hosting ranges. Threat score of 8-9 for highest-risk providers (Tor, M247) down to 5 for general VPS providers.

Data Sources

CrowdStrike Falcon platformCrowdStrike Falcon sensor authentication telemetry (UserLogon, UserLogonFailed events)CrowdStrike Identity Protection (Falcon Identity Threat Detection) authentication eventsWindows logon telemetry collected by Falcon sensor

Required Tables

UserLogonUserLogonFailedUserLogonFailed2

False Positives & Tuning

  • Corporate users connecting through their organization's cloud-hosted VPN concentrators on DigitalOcean or Hetzner — the Falcon sensor records the VPN egress IP as the remote address, which may match hosting provider ranges even for legitimate authenticated sessions.
  • Security operations center analysts using cloud-hosted jump hosts or security tooling platforms (SAST scanners, vulnerability managers) running on OVH or Vultr that initiate authenticated sessions to managed endpoints.
  • Legitimate IT contractors working remotely from their own infrastructure hosted on VPS providers — especially common in MSP/MSSP environments where engineers manage customer systems from cloud-based RMM platforms on Vultr or OVH.
Download portable Sigma rule (.yml)

Other platforms for T1583

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate VPN Infrastructure Use - DNS Enumeration of Anonymization Services

    Expected signal: Sysmon Event ID 22 (DnsQuery) entries for each queried domain showing QueryName, QueryResults, and the initiating PowerShell process. Also visible in DeviceNetworkEvents (ActionType: DnsQueryResponse) in Microsoft Defender for Endpoint.

  2. Test 2Simulate Authentication from VPS Infrastructure via Proxied HTTP Request

    Expected signal: Network connection event from the endpoint to the proxy IP. If authentication proceeds through the proxy, AADSignInLogs will record the VPS IP as the source. Sysmon Event 3 (NetworkConnect) visible for the outbound proxy connection.

  3. Test 3Cloud Infrastructure Provisioning via Azure CLI (Adversary Infrastructure Simulation)

    Expected signal: Azure Activity Log entries: Microsoft.Compute/virtualMachines/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Resources/deployments/write. Visible in AzureActivity table in Sentinel and azure:activity sourcetype in Splunk. Also triggers Azure Security Center alerts if Defender for Cloud is enabled.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.005BotnetT1583.006Web ServicesT1583.007ServerlessT1583.008MalvertisingT1584Compromise InfrastructureT1090ProxyT1078Valid AccountsT1110Brute ForceT1588Obtain Capabilities

Same Tactic: Resource Development

Popular Detections