T1584.003 Virtual Private Server Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1584.003 — Compromised VPS C2 Detection
// Detects beaconing patterns and connections to VPS provider IP ranges
// consistent with adversaries using compromised third-party VPS infrastructure
let VPSProviderRanges = dynamic([
  "104.16.", "104.17.", "104.18.", "104.19.",    // Cloudflare (often abused)
  "64.225.", "143.198.", "157.245.", "167.71.",  // DigitalOcean
  "45.33.", "45.56.", "45.79.", "50.116.",       // Linode/Akamai
  "45.63.", "45.76.", "45.77.",                  // Vultr
  "5.9.", "5.161.", "23.88.", "49.12.", "65.21.", "88.99.", "95.216.", "116.202.", "128.140.", "135.181.", "138.201.", "157.90.", "159.69.", "162.55.", "176.9.", "178.63.", "188.34.", "195.201.", "213.239.", // Hetzner
  "51.38.", "51.68.", "51.75.", "51.77.", "54.36.", "54.38.", "87.98." // OVH
]);
let BeaconWindow = 24h;
let MinConnections = 10;
let MaxJitterPct = 0.15;  // ≤15% jitter indicates automated beaconing
// Step 1: Find repeated outbound connections to VPS provider ranges
let VPSConnections = DeviceNetworkEvents
| where Timestamp > ago(BeaconWindow)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt")
| where RemoteIPType == "Public"
| where RemotePort in (80, 443, 8080, 8443, 4443, 4444, 1080, 1194, 8888, 8889, 9001, 9030)
    or (RemotePort between (49152 .. 65535))  // High ports also used for C2
| where RemoteIP has_any (VPSProviderRanges)
| project Timestamp, DeviceName, DeviceId, AccountName, LocalIP, RemoteIP, RemotePort,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          InitiatingProcessParentFileName, BytesSent, BytesReceived;
// Step 2: Calculate inter-connection intervals per device+IP pair for beacon detection
VPSConnections
| summarize
    ConnectionCount = count(),
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    TotalBytesSent = sum(BytesSent),
    TotalBytesReceived = sum(BytesReceived),
    UniqueProcesses = dcount(InitiatingProcessFileName),
    ProcessNames = make_set(InitiatingProcessFileName, 5),
    CommandLines = make_set(InitiatingProcessCommandLine, 3)
    by DeviceName, AccountName, RemoteIP, RemotePort
| where ConnectionCount >= MinConnections
| extend SessionDurationHours = datetime_diff('minute', LastSeen, FirstSeen) / 60.0
| extend AvgIntervalMinutes = iif(ConnectionCount > 1, SessionDurationHours * 60 / (ConnectionCount - 1), 0.0)
| extend AvgBytesPerConnection = iif(ConnectionCount > 0, (TotalBytesSent + TotalBytesReceived) / ConnectionCount, 0)
// Low bytes-per-connection with high connection count = C2 beacon pattern
| extend LowVolumeBeacon = iff(AvgBytesPerConnection < 5000 and ConnectionCount > 20, true, false)
// Regular interval suggests automated callback (not human browsing)
| extend RegularInterval = iff(AvgIntervalMinutes > 0 and AvgIntervalMinutes < 60, true, false)
| where LowVolumeBeacon == true or RegularInterval == true or ConnectionCount > 50
| project-reorder DeviceName, AccountName, RemoteIP, RemotePort, ConnectionCount,
    AvgIntervalMinutes, AvgBytesPerConnection, LowVolumeBeacon, RegularInterval,
    ProcessNames, FirstSeen, LastSeen, TotalBytesSent, TotalBytesReceived

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Cloud-hosted SaaS applications and business tools (Slack, Zoom, Datadog agents) that make frequent small HTTPS connections to cloud provider IP ranges
Software update services (OS updates, antivirus definitions) that poll VPS-hosted CDN endpoints on regular intervals
Developer workstations with personal VPS instances for legitimate remote work, CI/CD pipelines, or side projects hosted at the listed providers
VPN clients and corporate proxy configurations that route traffic through VPS-hosted endpoints at the listed providers
Telemetry and monitoring agents that beacon regularly to cloud-hosted collection infrastructure (e.g., Elastic Agents, Splunk UFs reporting to cloud-hosted indexers)

Splunk

spl

| tstats summarydata=t count as ConnectionCount, sum(All_Traffic.bytes_out) as TotalBytesSent, sum(All_Traffic.bytes_in) as TotalBytesReceived, min(_time) as FirstSeen, max(_time) as LastSeen
  FROM datamodel=Network_Traffic.All_Traffic
  WHERE All_Traffic.action="allowed"
    AND (All_Traffic.dest_port=80 OR All_Traffic.dest_port=443 OR All_Traffic.dest_port=8080 OR All_Traffic.dest_port=8443 OR All_Traffic.dest_port=4443 OR All_Traffic.dest_port=4444 OR All_Traffic.dest_port=1080 OR All_Traffic.dest_port=9001)
    AND (
      cidrmatch("64.225.0.0/16", All_Traffic.dest) OR cidrmatch("143.198.0.0/16", All_Traffic.dest)
      OR cidrmatch("157.245.0.0/16", All_Traffic.dest) OR cidrmatch("167.71.0.0/16", All_Traffic.dest)
      OR cidrmatch("45.33.0.0/16", All_Traffic.dest) OR cidrmatch("45.56.0.0/16", All_Traffic.dest)
      OR cidrmatch("45.79.0.0/16", All_Traffic.dest)
      OR cidrmatch("45.63.0.0/16", All_Traffic.dest) OR cidrmatch("45.76.0.0/16", All_Traffic.dest)
      OR cidrmatch("95.216.0.0/16", All_Traffic.dest) OR cidrmatch("135.181.0.0/16", All_Traffic.dest)
      OR cidrmatch("138.201.0.0/16", All_Traffic.dest) OR cidrmatch("157.90.0.0/16", All_Traffic.dest)
      OR cidrmatch("176.9.0.0/16", All_Traffic.dest) OR cidrmatch("5.9.0.0/16", All_Traffic.dest)
    )
  BY All_Traffic.src, All_Traffic.dest, All_Traffic.dest_port
| rename All_Traffic.src as src_ip, All_Traffic.dest as dest_ip, All_Traffic.dest_port as dest_port
| eval SessionDurationMinutes = round((LastSeen - FirstSeen) / 60, 2)
| eval AvgIntervalMinutes = if(ConnectionCount > 1, round(SessionDurationMinutes / (ConnectionCount - 1), 2), null())
| eval AvgBytesPerConn = round((TotalBytesSent + TotalBytesReceived) / ConnectionCount, 0)
| eval LowVolumeBeacon = if(AvgBytesPerConn < 5000 AND ConnectionCount > 20, "true", "false")
| eval RegularInterval = if(AvgIntervalMinutes > 0 AND AvgIntervalMinutes < 60, "true", "false")
| where ConnectionCount >= 10 AND (LowVolumeBeacon="true" OR RegularInterval="true" OR ConnectionCount > 50)
| eval FirstSeenHuman = strftime(FirstSeen, "%Y-%m-%d %H:%M:%S")
| eval LastSeenHuman = strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| table src_ip, dest_ip, dest_port, ConnectionCount, AvgIntervalMinutes, AvgBytesPerConn, LowVolumeBeacon, RegularInterval, TotalBytesSent, TotalBytesReceived, FirstSeenHuman, LastSeenHuman
| sort - ConnectionCount

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Splunk Network_Traffic Datamodel

Required Sourcetypes

pan:traffic cisco:asa stream:tcp bro:conn:json

False Positives

SaaS application clients (Slack, Teams, Zoom) making persistent connections to cloud-hosted endpoints on these provider ranges
Corporate VPN concentrators hosted at the listed providers that all clients connect through
Monitoring agents (Datadog, New Relic, Elastic) that regularly beacon to collector endpoints on cloud VPS infrastructure
Developer machines running CI/CD jobs that make API calls to cloud-hosted build infrastructure
Browser telemetry and crash-reporting services that perform regular check-ins to cloud endpoints

Elastic Security (EQL)

eql

network where event.type == "connection_attempted"
  and network.direction == "outbound"
  and destination.port in (80, 443, 8080, 8443)
  and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")
  and process.name : ("nslookup.exe", "powershell.exe", "cmd.exe", "python.exe", "python3")

high severity medium confidence

Data Sources

Elastic Endpoint Security Network events DNS events

Required Tables

logs-endpoint.events.network.* logs-dns.*

False Positives

Legitimate outbound connections to cloud hosting providers for business services
Security research teams connecting to VPS infrastructure for authorized testing
IT teams managing company-owned VPS or cloud instances
Developer connections to cloud-based development environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip, destinationip, destinationport,
  "CommandLine", "Image" AS Process,
  "DestinationHostname" AS RemoteHost,
  CASE
    WHEN COUNT(*) OVER (PARTITION BY sourceip, destinationip) >= 5 THEN 80
    WHEN destinationport IN (443, 8443, 4443) THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nslookup%' OR "Image" ILIKE '%dig%' THEN 'DNS Reconnaissance'
    WHEN destinationport IN (443, 8443) THEN 'Encrypted C2 Candidate'
    ELSE 'Outbound Connection'
  END AS AlertType
FROM events
WHERE eventid = 3
  AND NOT destinationip INCIDR '10.0.0.0/8'
  AND NOT destinationip INCIDR '172.16.0.0/12'
  AND NOT destinationip INCIDR '192.168.0.0/16'
  AND destinationport IN (53, 80, 443, 8080, 8443, 4443)
  AND "Image" NOT ILIKE '%chrome%'
  AND "Image" NOT ILIKE '%firefox%'
  AND "Image" NOT ILIKE '%msedge%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 3 DNS logs

Required Tables

events

False Positives

Legitimate connections to cloud hosting providers for business services
Security researchers testing tools on authorized VPS infrastructure
IT teams managing company-owned remote servers
Developers connecting to cloud-based development environments

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*dns*
| json auto
| where EventCode = 3 or _sourceCategory matches "*dns*"
| where !matches(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| eval ProcessName = lower(Image)
| where !matches(ProcessName, "chrome|firefox|msedge|outlook|teams")
| eval IsDNSRecon = if(matches(ProcessName, "nslookup|dig|host|dnsrecon"), "true", "false")
| eval RiskScore = if(IsDNSRecon = "true", 70,
    if(DestinationPort in ("443","8443","4443"), 60, 40))
| where RiskScore >= 60
| stats count AS ConnCount, values(DestinationIp) AS DestIPs, values(ProcessName) AS Processes by _sourceHost, User, DestinationPort
| sort by ConnCount desc

high severity medium confidence

Data Sources

Sysmon DNS logs

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*dns*

False Positives

Legitimate business connections to cloud hosting and CDN providers
Authorized security testing against self-owned VPS infrastructure
Developer connections to cloud-based development or CI/CD environments
IT management connections to company-owned remote servers

Google Chronicle / SecOps

yaral

rule T1584_003_c2_infrastructure {
  meta:
    author = "Detection Engineering"
    description = "Detects potential C2 infrastructure activity and reconnaissance"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1584.003"
    reference = "https://attack.mitre.org/techniques/T1584/003/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (443, 8443, 4443, 8080, 53)
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    re.regex($e.principal.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|nslookup|dig)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

NETWORK_CONNECTION DNS

False Positives

Legitimate business connections to cloud hosting providers
Security researchers accessing authorized VPS environments for testing
Development teams connecting to cloud-based build and test environments
IT administrators managing company-owned remote server infrastructure

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort in (443, 8443, 4443, 8080, 53)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ParentBaseFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|nslookup|python)/
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort], function=[count(as=ConnCount), min(timestamp, as=FirstSeen)])
| case {
    ConnCount >= 10 AND RemotePort = 53 => RiskScore := "High";
    ConnCount >= 5 => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort, ConnCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Network events DNS events

Required Tables

NetworkConnectIP4

False Positives

Legitimate outbound connections to CDN or hosting infrastructure used by business apps
Authorized security research or penetration testing against owned VPS infrastructure
Development and QA teams connecting to cloud-based test environments
IT operations managing company-owned remote server infrastructure

Virtual Private Server

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections