T1583 Sumo Logic CSE · Sumo

Detect Acquire Infrastructure in Sumo Logic CSE

This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1583 Acquire Infrastructure
Canonical reference
https://attack.mitre.org/techniques/T1583/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/security" ("EventCode=4624" OR "EventCode=4625" OR "EventCode=4648")
| parse "EventCode=*\n" as event_code
| parse "Account Name:\t*\n" as account_name nodrop
| parse "Account Name:\t\t*\n" as account_name nodrop
| parse "Network Information:\n\t\tWorkstation Name:\t*\n" as workstation_name nodrop
| parse "Network Information:\n\t\tSource Network Address:\t*\n" as src_ip nodrop
| parse "Source Network Address:\t*\n" as src_ip nodrop
| where src_ip != "-" AND src_ip != "127.0.0.1" AND src_ip != "::1" AND !isNull(src_ip)
| where !(src_ip matches "10.*" OR src_ip matches "192.168.*" OR src_ip matches "172.16.*" OR src_ip matches "172.17.*" OR src_ip matches "172.18.*" OR src_ip matches "172.19.*" OR src_ip matches "172.20.*" OR src_ip matches "172.21.*" OR src_ip matches "172.22.*" OR src_ip matches "172.23.*" OR src_ip matches "172.24.*" OR src_ip matches "172.25.*" OR src_ip matches "172.26.*" OR src_ip matches "172.27.*" OR src_ip matches "172.28.*" OR src_ip matches "172.29.*" OR src_ip matches "172.30.*" OR src_ip matches "172.31.*")
| eval infra_category = if(src_ip matches "185.220.*" OR src_ip matches "185.209.*" OR src_ip matches "45.83.*", "known_tor_exit_or_proxy",
    if(src_ip matches "167.71.*" OR src_ip matches "104.248.*" OR src_ip matches "68.183.*" OR src_ip matches "159.65.*" OR src_ip matches "138.197.*", "digitalocean",
    if(src_ip matches "95.217.*" OR src_ip matches "116.202.*" OR src_ip matches "135.181.*" OR src_ip matches "65.109.*" OR src_ip matches "5.9.*", "hetzner",
    if(src_ip matches "51.77.*" OR src_ip matches "51.68.*" OR src_ip matches "178.32.*" OR src_ip matches "54.36.*" OR src_ip matches "141.95.*", "ovh",
    if(src_ip matches "45.32.*" OR src_ip matches "66.175.*" OR src_ip matches "104.156.*" OR src_ip matches "207.246.*", "vultr",
    if(src_ip matches "194.5.*" OR src_ip matches "93.115.*" OR src_ip matches "92.223.*", "m247_bulletproof", "unknown"))))))
| where infra_category != "unknown"
| eval event_desc = if(event_code == "4624", "Successful Logon",
    if(event_code == "4625", "Failed Logon",
    if(event_code == "4648", "Explicit Credential Logon", "Unknown")))
| eval threat_score = if(infra_category == "known_tor_exit_or_proxy", 9,
    if(infra_category == "m247_bulletproof", 8,
    if(infra_category == "digitalocean", 6,
    if(infra_category == "hetzner", 6,
    if(infra_category == "ovh", 5,
    if(infra_category == "vultr", 5, 3))))))
| stats count as event_count,
    values(event_desc) as event_types,
    values(src_ip) as source_ips,
    min(_messageTime) as first_seen,
    max(_messageTime) as last_seen
    by account_name, infra_category, workstation_name, threat_score
| where event_count >= 1 AND account_name != "ANONYMOUS LOGON" AND !isNull(account_name)
| sort by threat_score desc, event_count desc
| formatDate(toLong(first_seen), "yyyy-MM-dd HH:mm:ss") as first_seen_fmt
| formatDate(toLong(last_seen), "yyyy-MM-dd HH:mm:ss") as last_seen_fmt
| fields account_name, infra_category, event_count, source_ips, event_types, threat_score, first_seen_fmt, last_seen_fmt, workstation_name
high severity medium confidence

Sumo Logic query detecting Windows authentication events (successful logon 4624, failed logon 4625, explicit credential use 4648) originating from external IP ranges associated with known adversary-acquired infrastructure. Parses Windows Security Event Log fields for source IPs and classifies them against hosting provider prefix lists covering Tor exit nodes, M247 bulletproof hosting, DigitalOcean, Hetzner, OVH, and Vultr. Assigns threat scores by provider risk tier and surfaces accounts authenticating from these ranges.

Data Sources

Sumo Logic Cloud SIEMWindows Security Event Logs collected via Sumo Logic Installed Collector or Windows Event Log SourceActive Directory domain controller security logsSumo Logic CSE normalized authentication schema

Required Tables

_sourceCategory=windows/security

False Positives & Tuning

  • Employees using commercial VPN services with exit nodes in DigitalOcean or Hetzner ranges — particularly prevalent among staff in regions with internet censorship or those using privacy tools for legitimate personal security.
  • Automated backup or synchronization agents deployed on cloud VPS instances that authenticate to on-premises Active Directory to access shared file resources or databases.
  • Software-as-a-Service vendors whose integration platforms are hosted on OVH or Vultr and authenticate against customer directories using SAML federation or OAuth — the source IP may appear as a VPS range.
Download portable Sigma rule (.yml)

Other platforms for T1583

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate VPN Infrastructure Use - DNS Enumeration of Anonymization Services

    Expected signal: Sysmon Event ID 22 (DnsQuery) entries for each queried domain showing QueryName, QueryResults, and the initiating PowerShell process. Also visible in DeviceNetworkEvents (ActionType: DnsQueryResponse) in Microsoft Defender for Endpoint.

  2. Test 2Simulate Authentication from VPS Infrastructure via Proxied HTTP Request

    Expected signal: Network connection event from the endpoint to the proxy IP. If authentication proceeds through the proxy, AADSignInLogs will record the VPS IP as the source. Sysmon Event 3 (NetworkConnect) visible for the outbound proxy connection.

  3. Test 3Cloud Infrastructure Provisioning via Azure CLI (Adversary Infrastructure Simulation)

    Expected signal: Azure Activity Log entries: Microsoft.Compute/virtualMachines/write, Microsoft.Network/publicIPAddresses/write, Microsoft.Resources/deployments/write. Visible in AzureActivity table in Sentinel and azure:activity sourcetype in Splunk. Also triggers Azure Security Center alerts if Defender for Cloud is enabled.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1583 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1583.001DomainsT1583.002DNS ServerT1583.003Virtual Private ServerT1583.004ServerT1583.005BotnetT1583.006Web ServicesT1583.007ServerlessT1583.008MalvertisingT1584Compromise InfrastructureT1090ProxyT1078Valid AccountsT1110Brute ForceT1588Obtain Capabilities

Same Tactic: Resource Development

Popular Detections