T1583 IBM QRadar · QRadar

Detect Acquire Infrastructure in IBM QRadar

This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Canonical reference
https://attack.mitre.org/techniques/T1583/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  CATEGORYNAME(category) AS event_category,
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source,
  CASE
    WHEN sourceip BETWEEN LONG('185.220.0.0') AND LONG('185.220.255.255') THEN 'known_tor_exit_or_proxy'
    WHEN sourceip BETWEEN LONG('185.209.0.0') AND LONG('185.209.255.255') THEN 'known_tor_exit_or_proxy'
    WHEN sourceip BETWEEN LONG('45.83.0.0') AND LONG('45.83.255.255') THEN 'known_tor_exit_or_proxy'
    WHEN sourceip BETWEEN LONG('167.71.0.0') AND LONG('167.71.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('104.248.0.0') AND LONG('104.248.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('68.183.0.0') AND LONG('68.183.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('138.197.0.0') AND LONG('138.197.255.255') THEN 'digitalocean'
    WHEN sourceip BETWEEN LONG('95.217.0.0') AND LONG('95.217.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('116.202.0.0') AND LONG('116.202.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('135.181.0.0') AND LONG('135.181.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('65.109.0.0') AND LONG('65.109.255.255') THEN 'hetzner'
    WHEN sourceip BETWEEN LONG('51.77.0.0') AND LONG('51.77.255.255') THEN 'ovh'
    WHEN sourceip BETWEEN LONG('51.68.0.0') AND LONG('51.68.255.255') THEN 'ovh'
    WHEN sourceip BETWEEN LONG('178.32.0.0') AND LONG('178.32.255.255') THEN 'ovh'
    WHEN sourceip BETWEEN LONG('45.32.0.0') AND LONG('45.32.255.255') THEN 'vultr'
    WHEN sourceip BETWEEN LONG('66.175.0.0') AND LONG('66.175.255.255') THEN 'vultr'
    WHEN sourceip BETWEEN LONG('104.156.0.0') AND LONG('104.156.255.255') THEN 'vultr'
    WHEN sourceip BETWEEN LONG('194.5.0.0') AND LONG('194.5.255.255') THEN 'm247_bulletproof'
    WHEN sourceip BETWEEN LONG('93.115.0.0') AND LONG('93.115.255.255') THEN 'm247_bulletproof'
    WHEN sourceip BETWEEN LONG('92.223.0.0') AND LONG('92.223.255.255') THEN 'm247_bulletproof'
    ELSE 'unknown'
  END AS infra_category,
  COUNT(*) AS event_count,
  COUNT(DISTINCT sourceip) AS unique_source_ips
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 253, 352)
  AND category IN (5000, 5001, 5002, 5003)
  AND starttime > NOW() - 86400000
  AND username IS NOT NULL
  AND username != '-'
  AND username != 'ANONYMOUS LOGON'
  AND NOT (sourceip BETWEEN LONG('10.0.0.0') AND LONG('10.255.255.255'))
  AND NOT (sourceip BETWEEN LONG('192.168.0.0') AND LONG('192.168.255.255'))
  AND NOT (sourceip BETWEEN LONG('172.16.0.0') AND LONG('172.31.255.255'))
  AND NOT sourceip IN (LONG('127.0.0.1'))
GROUP BY username, infra_category, sourceip
HAVING
  infra_category != 'unknown'
  AND event_count >= 1
ORDER BY
  CASE infra_category
    WHEN 'm247_bulletproof' THEN 1
    WHEN 'known_tor_exit_or_proxy' THEN 2
    WHEN 'digitalocean' THEN 3
    WHEN 'hetzner' THEN 4
    WHEN 'ovh' THEN 5
    WHEN 'vultr' THEN 6
    ELSE 7
  END ASC,
  event_count DESC
LAST 24 HOURS
high severity medium confidence

QRadar AQL rule detecting authentication events (successful, failed, and explicit credential use) from IP address ranges associated with acquired adversary infrastructure — including bulletproof hosting (M247), Tor exit/proxy nodes, and major VPS providers (DigitalOcean, Hetzner, OVH, Vultr). Uses numeric IP range comparisons via QRadar LONG() function for efficient matching against known hosting provider CIDR blocks. Groups by username and infrastructure category to surface accounts authenticating from adversary-acquired infrastructure.

Data Sources

IBM QRadar SIEMWindows Security Event Logs (EventCode 4624, 4625, 4648) via QRadar WinCollect or SyslogActive Directory / LDAP authentication eventsNetwork authentication flows

Required Tables

events

False Positives & Tuning

  • Security researchers or red team operators using VPS instances for legitimate authorized penetration testing — these should be documented in a known-good IP allowlist maintained by the security team.
  • Remote workers routing through corporate VPN concentrators hosted in cloud providers (DigitalOcean, OVH, Hetzner) — common for organizations using cloud-hosted VPN gateways rather than on-premises appliances.
  • Automated monitoring or alerting systems hosted in cloud environments that authenticate to on-premises resources to pull metrics or push alerts — service account authentication from cloud-hosted monitoring agents.
Download portable Sigma rule (.yml)

Other platforms for T1583

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate VPN Infrastructure Use - DNS Enumeration of Anonymization Services

    Expected signal: Sysmon Event ID 22 (DnsQuery) entries for each queried domain showing QueryName, QueryResults, and the initiating PowerShell process. Also visible in DeviceNetworkEvents (ActionType: DnsQueryResponse) in Microsoft Defender for Endpoint.

  2. Test 2Simulate Authentication from VPS Infrastructure via Proxied HTTP Request

    Expected signal: Network connection event from the endpoint to the proxy IP. If authentication proceeds through the proxy, AADSignInLogs will record the VPS IP as the source. Sysmon Event 3 (NetworkConnect) visible for the outbound proxy connection.

  3. Test 3Cloud Infrastructure Provisioning via Azure CLI (Adversary Infrastructure Simulation)

    Expected signal: Azure Activity Log entries: Microsoft.Compute/virtualMachines/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Resources/deployments/write. Visible in AzureActivity table in Sentinel and azure:activity sourcetype in Splunk. Also triggers Azure Security Center alerts if Defender for Cloud is enabled.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.005BotnetT1583.006Web ServicesT1583.007ServerlessT1583.008MalvertisingT1584Compromise InfrastructureT1090ProxyT1078Valid AccountsT1110Brute ForceT1588Obtain Capabilities

Same Tactic: Resource Development

Popular Detections