Which SIEM platforms have a T1584 detection rule?

df00tech provides T1584 (Compromise Infrastructure) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Compromise Infrastructure (T1584)?

Detecting Compromise Infrastructure requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1584 detection?

The T1584 detection is rated high severity with medium confidence.

What are common false positives for T1584?

Common false positives for T1584 include: Legitimate software update services or telemetry agents making frequent connections to cloud infrastructure on shared hosting providers; VPN or proxy clients using dynamic DNS hostnames for legitimate enterprise connectivity; IT monitoring and RMM tools (e.g., ConnectWise, Kaseya) that beacon regularly to SaaS infrastructure hosted on major cloud ASNs.

T1584

Compromise Infrastructure

Resource Development Last updated: April 13, 2026

This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.

What is T1584 Compromise Infrastructure?

Compromise Infrastructure (T1584) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.

This page provides production-ready detection logic for Compromise Infrastructure, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Resource Development
Technique: T1584 Compromise Infrastructure
Canonical reference: https://attack.mitre.org/techniques/T1584/

Microsoft Sentinel / Defender

kusto

let SuspiciousASNs = dynamic(["AS14061", "AS16276", "AS24940", "AS20473", "AS9009"]);
let LookbackPeriod = 7d;
let BeaconingThreshold = 20;
// Part 1: Detect beaconing to infrastructure with suspicious characteristics
let BeaconingAlerts = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemotePort in (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
| where not(ipv4_is_private(RemoteIP))
| summarize
    ConnectionCount = count(),
    UniqueRemotePorts = dcount(RemotePort),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    SampleProcesses = make_set(InitiatingProcessFileName, 5)
    by DeviceId, DeviceName, RemoteIP, RemoteUrl
| where ConnectionCount >= BeaconingThreshold
| where BytesSent > 1000
// Flag where beacon interval is highly regular (potential C2)
| extend DurationHours = datetime_diff('hour', LastSeen, FirstSeen)
| where DurationHours > 1
| extend BeaconRate = toreal(ConnectionCount) / toreal(DurationHours)
| where BeaconRate between (0.5 .. 200.0)
| extend AlertType = "PotentialBeaconing";
// Part 2: Detect DNS resolutions to IPs with poor reputation characteristics
let DNSSuspicious = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
// Flag domains using dynamic DNS providers commonly abused for compromised infra
| where RemoteUrl matches regex @"(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|serveftp\.com|zapto\.org|sytes\.net|myddns\.me|dynalias\.com)"
| summarize
    ConnectionCount = count(),
    UniqueDevices = dcount(DeviceId),
    SampleProcesses = make_set(InitiatingProcessFileName, 5),
    SampleIPs = make_set(RemoteIP, 5)
    by RemoteUrl
| where ConnectionCount > 0
| extend AlertType = "SuspiciousDynamicDNS";
// Part 3: Detect connections from non-browser processes to domains with short TTLs (fast-flux)
let FastFlux = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType == "ConnectionSuccess"
| where not(ipv4_is_private(RemoteIP))
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari", "opera.exe", "brave.exe")
| where InitiatingProcessFileName !in~ ("svchost.exe", "MsMpEng.exe", "SenseIR.exe", "MsSense.exe", "SenseCncProxy.exe")
| summarize
    UniqueIPs = dcount(RemoteIP),
    ConnectionCount = count(),
    DomainList = make_set(RemoteUrl, 10),
    ProcessList = make_set(InitiatingProcessFileName, 5)
    by DeviceId, DeviceName, bin(Timestamp, 1h)
| where UniqueIPs >= 5 and ConnectionCount >= 10
| extend AlertType = "PotentialFastFluxActivity";
// Union all alert types
BeaconingAlerts
| project Timestamp = LastSeen, DeviceName, RemoteIP, RemoteUrl, AlertType, ConnectionCount, BytesSent, BytesReceived, SampleProcesses
| union (
    DNSSuspicious
    | project Timestamp = now(), DeviceName = "Multiple", RemoteIP = tostring(SampleIPs[0]), RemoteUrl, AlertType, ConnectionCount, BytesSent = long(0), BytesReceived = long(0), SampleProcesses
)
| union (
    FastFlux
    | project Timestamp, DeviceName, RemoteIP = "", RemoteUrl = tostring(DomainList[0]), AlertType, ConnectionCount, BytesSent = long(0), BytesReceived = long(0), SampleProcesses = ProcessList
)
| sort by Timestamp desc

Detects three patterns consistent with adversary use of compromised infrastructure: (1) beaconing behavior from endpoints to external IPs at regular intervals with data transfer, indicative of C2 over hijacked servers; (2) DNS resolutions to known dynamic DNS providers commonly abused to proxy through compromised hosts; and (3) fast-flux-like behavior where non-browser processes rapidly connect to many distinct IPs, suggestive of botnet or compromised proxy network use.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate software update services or telemetry agents making frequent connections to cloud infrastructure on shared hosting providers
VPN or proxy clients using dynamic DNS hostnames for legitimate enterprise connectivity
IT monitoring and RMM tools (e.g., ConnectWise, Kaseya) that beacon regularly to SaaS infrastructure hosted on major cloud ASNs
CDN-backed services with high IP rotation that may appear as fast-flux to endpoint telemetry
Developers running local tunneling tools (ngrok, localtunnel) that resolve to dynamic DNS entries

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="stream:dns" OR sourcetype="stream:tcp")
| eval _time=strptime(UtcTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval earliest_time=relative_time(now(), "-7d@d")
| where _time >= earliest_time
(
  [
  | search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  | eval dest_ip=DestinationIp, dest_port=DestinationPort, process=Image
  | where NOT match(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fd)")
  | where dest_port IN (80, 443, 4444, 4443, 8080, 8443, 1080, 3128, 9001, 9030)
  | where NOT match(process, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe|SenseIR\.exe)")
  | stats count AS connection_count, dc(dest_ip) AS unique_ips, values(process) AS processes, min(_time) AS first_seen, max(_time) AS last_seen by Computer, dest_ip
  | where connection_count >= 20
  | eval duration_hours=round((last_seen - first_seen) / 3600, 2)
  | where duration_hours > 1
  | eval beacon_rate=round(connection_count / duration_hours, 2)
  | where beacon_rate > 0.5 AND beacon_rate < 200
  | eval alert_type="SuspiciousBeaconing"
  | table _time, Computer, dest_ip, connection_count, unique_ips, processes, beacon_rate, duration_hours, alert_type
  ]
  OR
  [
  | search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval queried_domain=QueryName, process=Image
  | where match(queried_domain, "(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch|crabdance\.com|ignorelist\.com)")
  | stats count AS query_count, dc(Computer) AS unique_hosts, values(process) AS processes, values(Computer) AS affected_hosts by queried_domain
  | where query_count >= 1
  | eval alert_type="SuspiciousDynamicDNSResolution"
  | eval _time=now()
  | table _time, queried_domain, query_count, unique_hosts, processes, affected_hosts, alert_type
  ]
  OR
  [
  | search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  | eval dest_ip=DestinationIp, process=Image, src_host=Computer
  | where NOT match(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
  | where NOT match(process, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)")
  | bin _time span=1h
  | stats dc(dest_ip) AS unique_dest_ips, count AS total_connections, values(process) AS processes by src_host, _time
  | where unique_dest_ips >= 10 AND total_connections >= 20
  | eval alert_type="PotentialFastFluxOrBotnetActivity"
  | table _time, src_host, unique_dest_ips, total_connections, processes, alert_type
  ]
)
| sort - _time

Three-branch SPL detection using Sysmon Event ID 3 (Network Connection) and Event ID 22 (DNS Query): detects regular beaconing from non-browser processes to external IPs, DNS resolutions to dynamic DNS providers commonly used to re-point compromised infrastructure, and fast-flux-like behavior indicative of botnet or proxy network abuse through hijacked hosts.

high severity medium confidence

Data Sources

Sysmon Windows Event Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

RMM agents (ConnectWise, Kaseya, Datto) making frequent connections to cloud-hosted management infrastructure
Developers using dynamic DNS services (e.g., duckdns.org) for personal project hosting or lab environments
Software update checkers, game launchers, or peer-to-peer applications that connect to many distinct IPs over short periods
Security tools performing threat intelligence lookups or sandbox detonation queries against diverse external endpoints
VPN concentrators or split-tunnel clients that route through cloud hosting IPs matching ASN-based filters

Elastic Security (EQL)

eql

// Part 1: Beaconing detection
sequence by host.id, destination.ip with maxspan=7d
  [network where event.action in ("connection_attempted", "connection_accepted") and
   destination.port in (80, 443, 8080, 8443, 4443, 4444, 1080, 3128) and
   not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
   not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari", "opera.exe", "brave.exe", "svchost.exe", "MsMpEng.exe")] with runs=20

// Part 2: Dynamic DNS resolution
any where event.category == "network" and event.action == "lookup_requested" and
  dns.question.name rlike "(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|serveftp\.com|zapto\.org|sytes\.net|myddns\.me|dynalias\.com)"

// Part 3: Fast-flux (high unique IPs per process per hour)
network where event.action == "connection_attempted" and
  not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
  not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "MsMpEng.exe", "svchost.exe")
| stats count=count(), unique_ips=count_distinct(destination.ip) by host.name, process.name, @timestamp_bucket("1h")
| where unique_ips >= 5 and count >= 10

Detects T1584 Compromise Infrastructure indicators: C2 beaconing patterns (regular high-frequency connections to non-browser processes), DNS resolutions to known dynamic DNS providers abused for compromised infrastructure, and fast-flux activity (high unique destination IPs per process per hour) using Elastic ECS network and DNS events.

high severity medium confidence

Data Sources

Elastic Endpoint Winlogbeat with Sysmon Filebeat network module Packetbeat

Required Tables

logs-endpoint.events.network-* logs-windows.sysmon_operational-* packetbeat-* filebeat-*

False Positives

Legitimate software using dynamic DNS for home lab or developer environments (e.g., a developer testing a personal server on duckdns.org)
Security tools and vulnerability scanners performing high-frequency connections to many IPs
CDN-backed services or legitimate software updaters with many backend IPs that rotate frequently (fast-flux false positive)

IBM QRadar (AQL)

sql

-- Part 1: Beaconing - high frequency connections to same dest IP from non-browser process
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS connection_count,
  (MAX(starttime) - MIN(starttime)) / 3600000 AS duration_hours,
  ROUND(COUNT(*) / NULLIF((MAX(starttime) - MIN(starttime)) / 3600000, 0), 2) AS beacon_rate,
  'SuspiciousBeaconing' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND destinationport IN (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '192.168.%' OR destinationip = '127.0.0.1')
  AND username NOT ILIKE '%chrome%'
  AND username NOT ILIKE '%firefox%'
GROUP BY sourceip, destinationip, destinationport
HAVING connection_count >= 20
  AND duration_hours > 1
  AND beacon_rate BETWEEN 0.5 AND 200.0

UNION ALL

-- Part 2: Dynamic DNS resolutions
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS connection_count,
  0 AS duration_hours,
  0 AS beacon_rate,
  'SuspiciousDynamicDNS' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND (LOWER(URL) ILIKE '%duckdns.org%'
    OR LOWER(URL) ILIKE '%no-ip.com%'
    OR LOWER(URL) ILIKE '%hopto.org%'
    OR LOWER(URL) ILIKE '%ddns.net%'
    OR LOWER(URL) ILIKE '%zapto.org%'
    OR LOWER(URL) ILIKE '%sytes.net%'
    OR LOWER(URL) ILIKE '%myddns.me%'
    OR LOWER(URL) ILIKE '%dynalias.com%')
GROUP BY starttime, sourceip, destinationip, destinationport
HAVING connection_count >= 1

UNION ALL

-- Part 3: Fast-flux / high unique destination IPs per source per hour
SELECT
  DATEFORMAT(TRUNC(starttime, 'HH'), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(TRUNC(starttime, 'HH'), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  'multiple' AS destinationip,
  0 AS destinationport,
  COUNT(*) AS connection_count,
  1 AS duration_hours,
  0 AS beacon_rate,
  'PotentialFastFlux' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '192.168.%')
GROUP BY sourceip, TRUNC(starttime, 'HH')
HAVING UNIQUECOUNT(destinationip) >= 5 AND connection_count >= 10

ORDER BY first_seen DESC

Detects T1584 Compromise Infrastructure using three AQL queries unioned: (1) beaconing via high-frequency regular connections to the same destination IP from non-browser processes, (2) DNS resolutions or connections to known dynamic DNS providers abused for C2, and (3) fast-flux indicators via high unique destination IP counts per source per hour.

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM QRadar DNS DSM QRadar Network Activity (flows)

Required Tables

events flows

False Positives

Automated software update mechanisms making frequent connections to CDN endpoints
IT management tools (RMM software) that legitimately connect to cloud management infrastructure at high frequency
Developers using dynamic DNS providers for legitimate home or lab infrastructure testing

Sumo Logic CSE

sql

// Part 1: Beaconing detection
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "3" OR EventID = "3"
| parse field=DestinationIp "*" as dest_ip
| parse field=DestinationPort "*" as dest_port
| parse field=Image "*" as process_name
| where dest_port in ("80","443","8080","8443","4443","4444","1080","3128")
| where !dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| where !process_name matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe|SenseIR\.exe)/
| timeslice 7d
| count as connection_count, pct(50, _messageTime) as median_time by Computer, dest_ip, dest_port, _timeslice
| where connection_count >= 20
| fields Computer, dest_ip, dest_port, connection_count
| "SuspiciousBeaconing" as alert_type

// Part 2: Dynamic DNS resolution
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "22" OR EventID = "22"
| parse field=QueryName "*" as queried_domain
| parse field=Image "*" as process_name
| where queried_domain matches /(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com)/
| count as query_count, values(Computer) as affected_hosts, values(process_name) as processes by queried_domain
| where query_count >= 1
| "SuspiciousDynamicDNS" as alert_type
| fields queried_domain, query_count, affected_hosts, processes, alert_type

// Part 3: Fast-flux detection
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "3" OR EventID = "3"
| parse field=DestinationIp "*" as dest_ip
| parse field=Image "*" as process_name
| where !dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| where !process_name matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)/
| timeslice 1h
| count as total_connections, dcount(dest_ip) as unique_dest_ips, values(process_name) as processes by Computer, _timeslice
| where unique_dest_ips >= 5 and total_connections >= 10
| "PotentialFastFlux" as alert_type
| fields Computer, _timeslice, unique_dest_ips, total_connections, processes, alert_type

Detects T1584 Compromise Infrastructure indicators in Sumo Logic using three sub-queries targeting Sysmon EventCode 3 (network connections) and EventCode 22 (DNS queries): beaconing via regular high-frequency connections, dynamic DNS provider resolution, and fast-flux activity via high unique destination IPs per hour per host.

high severity medium confidence

Data Sources

Sysmon via Windows Event Forwarding Windows Security Event Logs DNS query logs

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*dns*

False Positives

Security scanning tools performing port sweeps or vulnerability assessments creating fast-flux-like patterns
Peer-to-peer software (legitimate torrent clients, VoIP) connecting to many unique IPs
SaaS software with highly distributed CDN backends causing many unique IP resolutions

Google Chronicle / SecOps

yaral

rule t1584_compromise_infrastructure_beaconing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects potential C2 beaconing via compromised third-party infrastructure (T1584). Identifies high-frequency regular connections from non-browser processes to external IPs on common C2 ports."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari|opera\.exe|brave\.exe|svchost\.exe|MsMpEng\.exe)`)
    $e.principal.hostname = $hostname
    $e.target.ip = $dest_ip

  match:
    $hostname, $dest_ip over 1h

  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $sample_processes = array_distinct($e.principal.process.file.full_path)
    $dest_ports = array_distinct($e.target.port)

  condition:
    #e >= 20
}

rule t1584_compromise_infrastructure_dynamic_dns {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DNS lookups to dynamic DNS providers commonly used for compromised infrastructure C2 channels (T1584)."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    re.regex($e.network.dns.questions.name, `(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|serveftp\.com|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch)`)
    $e.principal.hostname = $hostname
    $e.network.dns.questions.name = $domain

  match:
    $hostname, $domain over 1h

  outcome:
    $query_count = count_distinct($e.metadata.id)
    $process_list = array_distinct($e.principal.process.file.full_path)

  condition:
    #e >= 1
}

rule t1584_compromise_infrastructure_fast_flux {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects fast-flux network behavior from non-browser processes — high count of unique destination IPs over a short period, consistent with botnet C2 via compromised infrastructure (T1584)."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "MEDIUM"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)`)
    $e.principal.hostname = $hostname
    $e.principal.process.file.full_path = $proc

  match:
    $hostname, $proc over 1h

  outcome:
    $unique_dest_ips = count_distinct($e.target.ip)
    $total_connections = count_distinct($e.metadata.id)
    $dest_ip_list = array_distinct($e.target.ip)

  condition:
    #e >= 10 and $unique_dest_ips >= 5
}

Three Chronicle YARA-L 2.0 rules detecting T1584 Compromise Infrastructure: (1) C2 beaconing via high-frequency outbound connections from non-browser processes to common C2 ports, (2) DNS resolutions to known dynamic DNS providers used for compromised infrastructure C2, and (3) fast-flux activity via high unique destination IP counts from non-browser processes.

high severity medium confidence

Data Sources

Chronicle UDM - Network Events Chronicle UDM - DNS Events Google Workspace / Chrome Enterprise Windows Event Forwarding to Chronicle

Required Tables

NETWORK_CONNECTION UDM events NETWORK_DNS UDM events

False Positives

Legitimate use of dynamic DNS by developers or home lab operators for personal services
Network monitoring or asset inventory tools performing high-frequency scans to many IPs
Load-balanced cloud services with many backend IPs causing fast-flux-like DNS patterns

CrowdStrike LogScale (CQL)

cql

// Part 1: Beaconing from non-browser processes
#event_simpleName = NetworkConnectIP4
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
| RemotePort in [80, 443, 8080, 8443, 4443, 4444, 1080, 3128]
| !match(field=ImageFileName, values=["*chrome.exe", "*firefox.exe", "*msedge.exe", "*iexplore.exe", "*MsMpEng.exe", "*svchost.exe", "*SenseIR.exe"])
| groupBy([ComputerName, RemoteAddressIP4, RemotePort, ImageFileName], function=[
    count(as=connection_count),
    min(timestamp, as=first_seen),
    max(timestamp, as=last_seen)
  ])
| eval duration_hours := (last_seen - first_seen) / 3600000
| where duration_hours > 1
| eval beacon_rate := connection_count / duration_hours
| where connection_count >= 20
| where beacon_rate >= 0.5 AND beacon_rate <= 200.0
| eval alert_type := "SuspiciousBeaconing"
| table [ComputerName, RemoteAddressIP4, RemotePort, ImageFileName, connection_count, beacon_rate, duration_hours, alert_type]
| sort(first_seen, order=desc)

// Part 2: Dynamic DNS resolutions
#event_simpleName = DnsRequest
| match(field=DomainName, regex="(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch)")
| groupBy([DomainName], function=[
    count(as=query_count),
    count(ComputerName, distinct=true, as=unique_hosts),
    collect(ComputerName, as=affected_hosts),
    collect(ContextImageFileName, as=processes)
  ])
| eval alert_type := "SuspiciousDynamicDNSResolution"
| table [DomainName, query_count, unique_hosts, affected_hosts, processes, alert_type]

// Part 3: Fast-flux / high unique destination IPs
#event_simpleName = NetworkConnectIP4
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
| !match(field=ImageFileName, values=["*chrome.exe", "*firefox.exe", "*msedge.exe", "*iexplore.exe", "*MsMpEng.exe", "*svchost.exe"])
| bucket(field=timestamp, span=1h, as=time_bucket)
| groupBy([ComputerName, ImageFileName, time_bucket], function=[
    count(RemoteAddressIP4, distinct=true, as=unique_dest_ips),
    count(as=total_connections),
    collect(ImageFileName, as=process_list)
  ])
| where unique_dest_ips >= 5 AND total_connections >= 10
| eval alert_type := "PotentialFastFlux"
| table [ComputerName, ImageFileName, time_bucket, unique_dest_ips, total_connections, alert_type]
| sort(time_bucket, order=desc)

Three CrowdStrike LogScale (CQL) queries detecting T1584 Compromise Infrastructure using Falcon telemetry: (1) C2 beaconing via regular high-frequency NetworkConnectIP4 events from non-browser processes to common C2 ports, (2) DnsRequest events for known dynamic DNS providers used in compromised infrastructure campaigns, and (3) fast-flux detection via high unique destination IP counts per process per hour.

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Agent Falcon NetworkConnectIP4 events Falcon DnsRequest events Falcon ProcessRollup2 events

Required Tables

NetworkConnectIP4 DnsRequest ProcessRollup2

False Positives

Falcon sensor itself or other EDR tools generating high-frequency network connections during scans
Legitimate software using dynamic DNS for development or testing (e.g., dev environments with personal DDNS)
VPN client software or proxy tools connecting to many IPs during setup or rotation

Sigma rule & cross-platform mapping

The detection logic for Compromise Infrastructure (T1584) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1584 Sigma rules on detection.fyi

Platform-specific guides for T1584

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate C2 Beaconing to Compromised VPS Infrastructure
Expected signal: Sysmon Event ID 3 (Network Connection) from powershell.exe to TARGET_IP on port 8080, firing at regular 30-second intervals. DeviceNetworkEvents in Defender for Endpoint will show repeated ConnectionSuccess events from PowerShell to the destination IP.
Test 2DNS Resolution to Dynamic DNS Provider Domain
Expected signal: Sysmon Event ID 22 (DNS Query) entries for each domain in the $suspiciousDomains list. The Image field will show powershell.exe or the parent process. QueryName will contain the duckdns.org / ddns.net / hopto.org domains.
Test 3Simulate Fast-Flux Connection Pattern from Non-Browser Process
Expected signal: Sysmon Event ID 3 (Network Connection) events from powershell.exe to 10+ distinct destination IPs on port 80, all occurring within a short time window. DeviceNetworkEvents will show ConnectionAttempt or ConnectionSuccess entries for each target IP.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Compromise Infrastructure

What is T1584 Compromise Infrastructure?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1584

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (8)

Related Techniques

Same Tactic: Resource Development

Popular Detections

What is T1584 Compromise Infrastructure?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1584

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (8)

Related Techniques

Same Tactic: Resource Development

Popular Detections

Get new detections in your inbox