T1584

Compromise Infrastructure

This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.

Microsoft Sentinel / Defender

kusto

let SuspiciousASNs = dynamic(["AS14061", "AS16276", "AS24940", "AS20473", "AS9009"]);
let LookbackPeriod = 7d;
let BeaconingThreshold = 20;
// Part 1: Detect beaconing to infrastructure with suspicious characteristics
let BeaconingAlerts = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemotePort in (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
| where not(ipv4_is_private(RemoteIP))
| summarize
    ConnectionCount = count(),
    UniqueRemotePorts = dcount(RemotePort),
    BytesSent = sum(SentBytes),
    BytesReceived = sum(ReceivedBytes),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    SampleProcesses = make_set(InitiatingProcessFileName, 5)
    by DeviceId, DeviceName, RemoteIP, RemoteUrl
| where ConnectionCount >= BeaconingThreshold
| where BytesSent > 1000
// Flag where beacon interval is highly regular (potential C2)
| extend DurationHours = datetime_diff('hour', LastSeen, FirstSeen)
| where DurationHours > 1
| extend BeaconRate = toreal(ConnectionCount) / toreal(DurationHours)
| where BeaconRate between (0.5 .. 200.0)
| extend AlertType = "PotentialBeaconing";
// Part 2: Detect DNS resolutions to IPs with poor reputation characteristics
let DNSSuspicious = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
// Flag domains using dynamic DNS providers commonly abused for compromised infra
| where RemoteUrl matches regex @"(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|serveftp\.com|zapto\.org|sytes\.net|myddns\.me|dynalias\.com)"
| summarize
    ConnectionCount = count(),
    UniqueDevices = dcount(DeviceId),
    SampleProcesses = make_set(InitiatingProcessFileName, 5),
    SampleIPs = make_set(RemoteIP, 5)
    by RemoteUrl
| where ConnectionCount > 0
| extend AlertType = "SuspiciousDynamicDNS";
// Part 3: Detect connections from non-browser processes to domains with short TTLs (fast-flux)
let FastFlux = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType == "ConnectionSuccess"
| where not(ipv4_is_private(RemoteIP))
| where InitiatingProcessFileName !in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari", "opera.exe", "brave.exe")
| where InitiatingProcessFileName !in~ ("svchost.exe", "MsMpEng.exe", "SenseIR.exe", "MsSense.exe", "SenseCncProxy.exe")
| summarize
    UniqueIPs = dcount(RemoteIP),
    ConnectionCount = count(),
    DomainList = make_set(RemoteUrl, 10),
    ProcessList = make_set(InitiatingProcessFileName, 5)
    by DeviceId, DeviceName, bin(Timestamp, 1h)
| where UniqueIPs >= 5 and ConnectionCount >= 10
| extend AlertType = "PotentialFastFluxActivity";
// Union all alert types
BeaconingAlerts
| project Timestamp = LastSeen, DeviceName, RemoteIP, RemoteUrl, AlertType, ConnectionCount, BytesSent, BytesReceived, SampleProcesses
| union (
    DNSSuspicious
    | project Timestamp = now(), DeviceName = "Multiple", RemoteIP = tostring(SampleIPs[0]), RemoteUrl, AlertType, ConnectionCount, BytesSent = long(0), BytesReceived = long(0), SampleProcesses
)
| union (
    FastFlux
    | project Timestamp, DeviceName, RemoteIP = "", RemoteUrl = tostring(DomainList[0]), AlertType, ConnectionCount, BytesSent = long(0), BytesReceived = long(0), SampleProcesses = ProcessList
)
| sort by Timestamp desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate software update services or telemetry agents making frequent connections to cloud infrastructure on shared hosting providers
VPN or proxy clients using dynamic DNS hostnames for legitimate enterprise connectivity
IT monitoring and RMM tools (e.g., ConnectWise, Kaseya) that beacon regularly to SaaS infrastructure hosted on major cloud ASNs
CDN-backed services with high IP rotation that may appear as fast-flux to endpoint telemetry
Developers running local tunneling tools (ngrok, localtunnel) that resolve to dynamic DNS entries

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="stream:dns" OR sourcetype="stream:tcp")
| eval _time=strptime(UtcTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval earliest_time=relative_time(now(), "-7d@d")
| where _time >= earliest_time
(
  [
  | search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  | eval dest_ip=DestinationIp, dest_port=DestinationPort, process=Image
  | where NOT match(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fd)")
  | where dest_port IN (80, 443, 4444, 4443, 8080, 8443, 1080, 3128, 9001, 9030)
  | where NOT match(process, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe|SenseIR\.exe)")
  | stats count AS connection_count, dc(dest_ip) AS unique_ips, values(process) AS processes, min(_time) AS first_seen, max(_time) AS last_seen by Computer, dest_ip
  | where connection_count >= 20
  | eval duration_hours=round((last_seen - first_seen) / 3600, 2)
  | where duration_hours > 1
  | eval beacon_rate=round(connection_count / duration_hours, 2)
  | where beacon_rate > 0.5 AND beacon_rate < 200
  | eval alert_type="SuspiciousBeaconing"
  | table _time, Computer, dest_ip, connection_count, unique_ips, processes, beacon_rate, duration_hours, alert_type
  ]
  OR
  [
  | search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
  | eval queried_domain=QueryName, process=Image
  | where match(queried_domain, "(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch|crabdance\.com|ignorelist\.com)")
  | stats count AS query_count, dc(Computer) AS unique_hosts, values(process) AS processes, values(Computer) AS affected_hosts by queried_domain
  | where query_count >= 1
  | eval alert_type="SuspiciousDynamicDNSResolution"
  | eval _time=now()
  | table _time, queried_domain, query_count, unique_hosts, processes, affected_hosts, alert_type
  ]
  OR
  [
  | search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  | eval dest_ip=DestinationIp, process=Image, src_host=Computer
  | where NOT match(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
  | where NOT match(process, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)")
  | bin _time span=1h
  | stats dc(dest_ip) AS unique_dest_ips, count AS total_connections, values(process) AS processes by src_host, _time
  | where unique_dest_ips >= 10 AND total_connections >= 20
  | eval alert_type="PotentialFastFluxOrBotnetActivity"
  | table _time, src_host, unique_dest_ips, total_connections, processes, alert_type
  ]
)
| sort - _time

high severity medium confidence

Data Sources

Sysmon Windows Event Logs

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

RMM agents (ConnectWise, Kaseya, Datto) making frequent connections to cloud-hosted management infrastructure
Developers using dynamic DNS services (e.g., duckdns.org) for personal project hosting or lab environments
Software update checkers, game launchers, or peer-to-peer applications that connect to many distinct IPs over short periods
Security tools performing threat intelligence lookups or sandbox detonation queries against diverse external endpoints
VPN concentrators or split-tunnel clients that route through cloud hosting IPs matching ASN-based filters

IBM QRadar (AQL)

sql

-- Part 1: Beaconing - high frequency connections to same dest IP from non-browser process
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS connection_count,
  (MAX(starttime) - MIN(starttime)) / 3600000 AS duration_hours,
  ROUND(COUNT(*) / NULLIF((MAX(starttime) - MIN(starttime)) / 3600000, 0), 2) AS beacon_rate,
  'SuspiciousBeaconing' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND destinationport IN (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '192.168.%' OR destinationip = '127.0.0.1')
  AND username NOT ILIKE '%chrome%'
  AND username NOT ILIKE '%firefox%'
GROUP BY sourceip, destinationip, destinationport
HAVING connection_count >= 20
  AND duration_hours > 1
  AND beacon_rate BETWEEN 0.5 AND 200.0

UNION ALL

-- Part 2: Dynamic DNS resolutions
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS connection_count,
  0 AS duration_hours,
  0 AS beacon_rate,
  'SuspiciousDynamicDNS' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND (LOWER(URL) ILIKE '%duckdns.org%'
    OR LOWER(URL) ILIKE '%no-ip.com%'
    OR LOWER(URL) ILIKE '%hopto.org%'
    OR LOWER(URL) ILIKE '%ddns.net%'
    OR LOWER(URL) ILIKE '%zapto.org%'
    OR LOWER(URL) ILIKE '%sytes.net%'
    OR LOWER(URL) ILIKE '%myddns.me%'
    OR LOWER(URL) ILIKE '%dynalias.com%')
GROUP BY starttime, sourceip, destinationip, destinationport
HAVING connection_count >= 1

UNION ALL

-- Part 3: Fast-flux / high unique destination IPs per source per hour
SELECT
  DATEFORMAT(TRUNC(starttime, 'HH'), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(TRUNC(starttime, 'HH'), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  'multiple' AS destinationip,
  0 AS destinationport,
  COUNT(*) AS connection_count,
  1 AS duration_hours,
  0 AS beacon_rate,
  'PotentialFastFlux' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '192.168.%')
GROUP BY sourceip, TRUNC(starttime, 'HH')
HAVING UNIQUECOUNT(destinationip) >= 5 AND connection_count >= 10

ORDER BY first_seen DESC

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM QRadar DNS DSM QRadar Network Activity (flows)

Required Tables

events flows

False Positives

Automated software update mechanisms making frequent connections to CDN endpoints
IT management tools (RMM software) that legitimately connect to cloud management infrastructure at high frequency
Developers using dynamic DNS providers for legitimate home or lab infrastructure testing

Sumo Logic CSE

sql

// Part 1: Beaconing detection
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "3" OR EventID = "3"
| parse field=DestinationIp "*" as dest_ip
| parse field=DestinationPort "*" as dest_port
| parse field=Image "*" as process_name
| where dest_port in ("80","443","8080","8443","4443","4444","1080","3128")
| where !dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| where !process_name matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe|SenseIR\.exe)/
| timeslice 7d
| count as connection_count, pct(50, _messageTime) as median_time by Computer, dest_ip, dest_port, _timeslice
| where connection_count >= 20
| fields Computer, dest_ip, dest_port, connection_count
| "SuspiciousBeaconing" as alert_type

// Part 2: Dynamic DNS resolution
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "22" OR EventID = "22"
| parse field=QueryName "*" as queried_domain
| parse field=Image "*" as process_name
| where queried_domain matches /(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com)/
| count as query_count, values(Computer) as affected_hosts, values(process_name) as processes by queried_domain
| where query_count >= 1
| "SuspiciousDynamicDNS" as alert_type
| fields queried_domain, query_count, affected_hosts, processes, alert_type

// Part 3: Fast-flux detection
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "3" OR EventID = "3"
| parse field=DestinationIp "*" as dest_ip
| parse field=Image "*" as process_name
| where !dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| where !process_name matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)/
| timeslice 1h
| count as total_connections, dcount(dest_ip) as unique_dest_ips, values(process_name) as processes by Computer, _timeslice
| where unique_dest_ips >= 5 and total_connections >= 10
| "PotentialFastFlux" as alert_type
| fields Computer, _timeslice, unique_dest_ips, total_connections, processes, alert_type

high severity medium confidence

Data Sources

Sysmon via Windows Event Forwarding Windows Security Event Logs DNS query logs

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon* _sourceCategory=*dns*

False Positives

Security scanning tools performing port sweeps or vulnerability assessments creating fast-flux-like patterns
Peer-to-peer software (legitimate torrent clients, VoIP) connecting to many unique IPs
SaaS software with highly distributed CDN backends causing many unique IP resolutions

Google Chronicle / SecOps

yaral

rule t1584_compromise_infrastructure_beaconing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects potential C2 beaconing via compromised third-party infrastructure (T1584). Identifies high-frequency regular connections from non-browser processes to external IPs on common C2 ports."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari|opera\.exe|brave\.exe|svchost\.exe|MsMpEng\.exe)`)
    $e.principal.hostname = $hostname
    $e.target.ip = $dest_ip

  match:
    $hostname, $dest_ip over 1h

  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $sample_processes = array_distinct($e.principal.process.file.full_path)
    $dest_ports = array_distinct($e.target.port)

  condition:
    #e >= 20
}

rule t1584_compromise_infrastructure_dynamic_dns {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DNS lookups to dynamic DNS providers commonly used for compromised infrastructure C2 channels (T1584)."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    re.regex($e.network.dns.questions.name, `(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|serveftp\.com|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch)`)
    $e.principal.hostname = $hostname
    $e.network.dns.questions.name = $domain

  match:
    $hostname, $domain over 1h

  outcome:
    $query_count = count_distinct($e.metadata.id)
    $process_list = array_distinct($e.principal.process.file.full_path)

  condition:
    #e >= 1
}

rule t1584_compromise_infrastructure_fast_flux {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects fast-flux network behavior from non-browser processes — high count of unique destination IPs over a short period, consistent with botnet C2 via compromised infrastructure (T1584)."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "MEDIUM"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)`)
    $e.principal.hostname = $hostname
    $e.principal.process.file.full_path = $proc

  match:
    $hostname, $proc over 1h

  outcome:
    $unique_dest_ips = count_distinct($e.target.ip)
    $total_connections = count_distinct($e.metadata.id)
    $dest_ip_list = array_distinct($e.target.ip)

  condition:
    #e >= 10 and $unique_dest_ips >= 5
}

high severity medium confidence

Data Sources

Chronicle UDM - Network Events Chronicle UDM - DNS Events Google Workspace / Chrome Enterprise Windows Event Forwarding to Chronicle

Required Tables

NETWORK_CONNECTION UDM events NETWORK_DNS UDM events

False Positives

Legitimate use of dynamic DNS by developers or home lab operators for personal services
Network monitoring or asset inventory tools performing high-frequency scans to many IPs
Load-balanced cloud services with many backend IPs causing fast-flux-like DNS patterns

CrowdStrike LogScale (CQL)

cql

// Part 1: Beaconing from non-browser processes
#event_simpleName = NetworkConnectIP4
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
| RemotePort in [80, 443, 8080, 8443, 4443, 4444, 1080, 3128]
| !match(field=ImageFileName, values=["*chrome.exe", "*firefox.exe", "*msedge.exe", "*iexplore.exe", "*MsMpEng.exe", "*svchost.exe", "*SenseIR.exe"])
| groupBy([ComputerName, RemoteAddressIP4, RemotePort, ImageFileName], function=[
    count(as=connection_count),
    min(timestamp, as=first_seen),
    max(timestamp, as=last_seen)
  ])
| eval duration_hours := (last_seen - first_seen) / 3600000
| where duration_hours > 1
| eval beacon_rate := connection_count / duration_hours
| where connection_count >= 20
| where beacon_rate >= 0.5 AND beacon_rate <= 200.0
| eval alert_type := "SuspiciousBeaconing"
| table [ComputerName, RemoteAddressIP4, RemotePort, ImageFileName, connection_count, beacon_rate, duration_hours, alert_type]
| sort(first_seen, order=desc)

// Part 2: Dynamic DNS resolutions
#event_simpleName = DnsRequest
| match(field=DomainName, regex="(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch)")
| groupBy([DomainName], function=[
    count(as=query_count),
    count(ComputerName, distinct=true, as=unique_hosts),
    collect(ComputerName, as=affected_hosts),
    collect(ContextImageFileName, as=processes)
  ])
| eval alert_type := "SuspiciousDynamicDNSResolution"
| table [DomainName, query_count, unique_hosts, affected_hosts, processes, alert_type]

// Part 3: Fast-flux / high unique destination IPs
#event_simpleName = NetworkConnectIP4
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
| !match(field=ImageFileName, values=["*chrome.exe", "*firefox.exe", "*msedge.exe", "*iexplore.exe", "*MsMpEng.exe", "*svchost.exe"])
| bucket(field=timestamp, span=1h, as=time_bucket)
| groupBy([ComputerName, ImageFileName, time_bucket], function=[
    count(RemoteAddressIP4, distinct=true, as=unique_dest_ips),
    count(as=total_connections),
    collect(ImageFileName, as=process_list)
  ])
| where unique_dest_ips >= 5 AND total_connections >= 10
| eval alert_type := "PotentialFastFlux"
| table [ComputerName, ImageFileName, time_bucket, unique_dest_ips, total_connections, alert_type]
| sort(time_bucket, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Agent Falcon NetworkConnectIP4 events Falcon DnsRequest events Falcon ProcessRollup2 events

Required Tables

NetworkConnectIP4 DnsRequest ProcessRollup2

False Positives

Falcon sensor itself or other EDR tools generating high-frequency network connections during scans
Legitimate software using dynamic DNS for development or testing (e.g., dev environments with personal DDNS)
VPN client software or proxy tools connecting to many IPs during setup or rotation

Last updated: 2026-04-13 Research depth: deep

References (8)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Compromise Infrastructure

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (8)

Same Tactic: Resource Development

Popular Detections