Detect Acquire Infrastructure in Microsoft Sentinel
This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1583/
KQL Detection Query
let HostingProviderASNs = dynamic([
9009, // M247 Europe SRL - frequently abused bulletproof hosting
202448, // MVPS - known bulletproof hosting
16276, // OVH SAS
14061, // DigitalOcean LLC
63949, // Akamai Connected Cloud (Linode)
24940, // Hetzner Online GmbH
51167, // Contabo GmbH
47583, // Hostinger International
60068, // Datacamp Limited - residential proxy
174, // Cogent Communications
3257 // GTT Communications
]);
let VPNKeywords = dynamic(["vpn", "tor", "proxy", "anonymizer", "hosting", "datacenter"]);
AADSignInLogs
| where TimeGenerated >= ago(24h)
| where ResultType == "0"
| where AutonomousSystemNumber in (HostingProviderASNs)
or NetworkLocationDetails has_any (VPNKeywords)
or RiskEventTypes_V2 has_any ("anonymizedIPAddress", "maliciousIPAddress")
| where IPAddress !in ("127.0.0.1", "::1", "0.0.0.0")
| summarize
SignInCount = count(),
UniqueSourceIPs = dcount(IPAddress),
TargetApps = make_set(AppDisplayName, 10),
ClientApps = make_set(ClientAppUsed, 5),
LocationDetails = make_set(tostring(LocationDetails), 5),
FirstSeen = min(TimeGenerated),
LastSeen = max(TimeGenerated)
by UserPrincipalName, AutonomousSystemNumber, NetworkLocationDetails
| extend RiskScore = case(
TargetApps has_any ("Azure Portal", "Microsoft Azure Management", "Azure Active Directory"), 9,
UniqueSourceIPs > 5, 8,
UniqueSourceIPs > 2, 6,
SignInCount > 10, 5,
4)
| where RiskScore >= 5
| project TimeGenerated = LastSeen, UserPrincipalName, RiskScore, SignInCount,
UniqueSourceIPs, AutonomousSystemNumber, TargetApps, NetworkLocationDetails,
FirstSeen, LastSeen
| sort by RiskScore desc, SignInCount descDetects successful Azure AD sign-in events originating from autonomous system numbers (ASNs) associated with known VPS/bulletproof hosting providers and anonymizing proxy services. Elevated risk score when privileged management applications (Azure Portal) are targeted or multiple source IPs share the same ASN, indicating adversary use of acquired infrastructure to access organizational resources.
Data Sources
Required Tables
False Positives & Tuning
- Employees legitimately connecting via corporate-approved VPN services that share ASNs with commercial hosting providers
- Remote developers or contractors using DigitalOcean, Hetzner, or OVH hosted jump boxes for legitimate administrative access
- Automated service accounts or CI/CD pipelines running in cloud-hosted environments that authenticate to organizational APIs
- Security researchers or penetration testers operating from known hosting providers during authorized engagements
- Employees traveling internationally who use commercial VPN services that route through hosting provider IP ranges
Other platforms for T1583
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate VPN Infrastructure Use - DNS Enumeration of Anonymization Services
Expected signal: Sysmon Event ID 22 (DnsQuery) entries for each queried domain showing QueryName, QueryResults, and the initiating PowerShell process. Also visible in DeviceNetworkEvents (ActionType: DnsQueryResponse) in Microsoft Defender for Endpoint.
- Test 2Simulate Authentication from VPS Infrastructure via Proxied HTTP Request
Expected signal: Network connection event from the endpoint to the proxy IP. If authentication proceeds through the proxy, AADSignInLogs will record the VPS IP as the source. Sysmon Event 3 (NetworkConnect) visible for the outbound proxy connection.
- Test 3Cloud Infrastructure Provisioning via Azure CLI (Adversary Infrastructure Simulation)
Expected signal: Azure Activity Log entries: Microsoft.Compute/virtualMachines/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Resources/deployments/write. Visible in AzureActivity table in Sentinel and azure:activity sourcetype in Splunk. Also triggers Azure Security Center alerts if Defender for Cloud is enabled.
References (8)
- https://attack.mitre.org/techniques/T1583/
- https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime
- https://hunt.io/blog/sea-turtle-dns-hijacking
- https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/
- https://www.microsoft.com/security/blog/2022/10/03/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a
- https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
Unlock Pro Content
Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.