Detect Acquire Infrastructure in Splunk
This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1583 Acquire Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1583/
SPL Detection Query
index=windows sourcetype="WinEventLog:Security"
(EventCode=4624 OR EventCode=4625 OR EventCode=4648)
| eval src_ip=coalesce(IpAddress, Source_Network_Address)
| where src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1" AND isnotnull(src_ip)
| where NOT match(src_ip, "^(10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|fc00:|fe80:)")
| eval infra_category=case(
match(src_ip, "^(185\.220\.|185\.209\.|45\.83\.|194\.165\.|146\.70\.)"), "known_tor_exit_or_proxy",
match(src_ip, "^(167\.71\.|104\.248\.|68\.183\.|159\.65\.|138\.197\.)"), "digitalocean",
match(src_ip, "^(95\.217\.|116\.202\.|135\.181\.|65\.109\.|5\.9\.)"), "hetzner",
match(src_ip, "^(51\.77\.|51\.68\.|178\.32\.|54\.36\.|141\.95\.)"), "ovh",
match(src_ip, "^(45\.32\.|66\.175\.|104\.156\.|207\.246\.)"), "vultr",
match(src_ip, "^(194\.5\.|93\.115\.|92\.223\.)"), "m247_bulletproof",
null())
| where isnotnull(infra_category)
| eval event_desc=case(
EventCode=="4624", "Successful Logon",
EventCode=="4625", "Failed Logon",
EventCode=="4648", "Explicit Credential Logon",
"Unknown")
| eval logon_type_desc=case(
Logon_Type=="2", "Interactive",
Logon_Type=="3", "Network",
Logon_Type=="7", "Unlock",
Logon_Type=="10", "RemoteInteractive",
Logon_Type=="11", "CachedInteractive",
Logon_Type)
| stats count as event_count,
values(event_desc) as event_types,
values(logon_type_desc) as logon_types,
dc(src_ip) as unique_ips,
earliest(_time) as first_seen,
latest(_time) as last_seen
by Account_Name, infra_category, Workstation_Name
| where event_count >= 1
| eval threat_score=case(
infra_category="known_tor_exit_or_proxy" AND event_count > 1, 9,
infra_category="m247_bulletproof", 8,
unique_ips > 3, 7,
event_count > 10, 6,
3)
| sort -threat_score
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(first_seen) ctime(last_seen)
| table Account_Name, infra_category, event_count, unique_ips, event_types, logon_types, threat_score, first_seen, last_seenDetects Windows authentication events (successful logon, failed logon, explicit credential use) originating from IP ranges associated with known hosting providers, bulletproof hosts, and Tor exit nodes. Scores events by infrastructure category and frequency to surface adversary credential use from acquired infrastructure.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Remote workers connecting through commercial VPN services whose exit nodes share ranges with hosting providers
- IT administrators using hosted jump boxes (DigitalOcean, Hetzner) for administrative tasks
- Automated scripts or monitoring agents running on cloud VMs that authenticate to internal services
- Security awareness testing using known proxy infrastructure
- Contractors or vendors working from cloud-hosted development environments
Other platforms for T1583
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate VPN Infrastructure Use - DNS Enumeration of Anonymization Services
Expected signal: Sysmon Event ID 22 (DnsQuery) entries for each queried domain showing QueryName, QueryResults, and the initiating PowerShell process. Also visible in DeviceNetworkEvents (ActionType: DnsQueryResponse) in Microsoft Defender for Endpoint.
- Test 2Simulate Authentication from VPS Infrastructure via Proxied HTTP Request
Expected signal: Network connection event from the endpoint to the proxy IP. If authentication proceeds through the proxy, AADSignInLogs will record the VPS IP as the source. Sysmon Event 3 (NetworkConnect) visible for the outbound proxy connection.
- Test 3Cloud Infrastructure Provisioning via Azure CLI (Adversary Infrastructure Simulation)
Expected signal: Azure Activity Log entries: Microsoft.Compute/virtualMachines/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Resources/deployments/write. Visible in AzureActivity table in Sentinel and azure:activity sourcetype in Splunk. Also triggers Azure Security Center alerts if Defender for Cloud is enabled.
References (8)
- https://attack.mitre.org/techniques/T1583/
- https://www.mandiant.com/resources/blog/apt43-north-korea-cybercrime
- https://hunt.io/blog/sea-turtle-dns-hijacking
- https://www.sentinelone.com/labs/from-wiper-to-ransomware-the-evolution-of-agrius/
- https://www.microsoft.com/security/blog/2022/10/03/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/
- https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-011a
- https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
Unlock Pro Content
Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.