T1584.004 Compromise Infrastructure: Server Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1584.004 — Compromise Infrastructure: Server
// Strategy: correlate outbound connections against threat intelligence,
// detect C2 beaconing patterns, and flag connections to known compromised server ranges.
// Requires Microsoft Sentinel with ThreatIntelligenceIndicator table populated.
let LookbackPeriod = 24h;
let BeaconMinConnections = 5;
let BeaconMinIntervalMin = 1;
let BeaconMaxIntervalMin = 120;
// Pull active TI indicators for IP-based indicators
let ThreatIntelServerIPs = ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| where Active == true
| where isnotempty(NetworkIP)
| where ConfidenceScore >= 50
| distinct NetworkIP, Description, ThreatType;
// Pull active TI indicators for domain-based indicators
let ThreatIntelDomains = ThreatIntelligenceIndicator
| where TimeGenerated > ago(30d)
| where Active == true
| where isnotempty(DomainName)
| where ConfidenceScore >= 50
| distinct DomainName, Description, ThreatType;
// Detection Branch 1: Direct TI IP hit on outbound connections
let TIIPHits = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where ActionType in ("ConnectionSuccess", "ConnectionAttempt", "InboundConnectionAccepted")
| join kind=inner ThreatIntelServerIPs on $left.RemoteIP == $right.NetworkIP
| extend DetectionMethod = "ThreatIntel-IP"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteIP, RemotePort, RemoteUrl,
         ThreatDescription = Description, ThreatType,
         DetectionMethod;
// Detection Branch 2: DNS-resolved TI domain hits
let TIDomainHits = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where isnotempty(RemoteUrl)
| extend RequestedDomain = tostring(parse_url(RemoteUrl).Host)
| join kind=inner ThreatIntelDomains on $left.RequestedDomain == $right.DomainName
| extend DetectionMethod = "ThreatIntel-Domain"
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteIP, RemotePort, RemoteUrl,
         ThreatDescription = Description, ThreatType,
         DetectionMethod;
// Detection Branch 3: Beaconing pattern — periodic connections to same external IP
let BeaconingHosts = DeviceNetworkEvents
| where Timestamp > ago(LookbackPeriod)
| where RemoteIPType == "Public"
| where ActionType == "ConnectionSuccess"
| summarize ConnectionCount = count(),
           FirstSeen = min(Timestamp),
           LastSeen = max(Timestamp),
           Ports = make_set(RemotePort, 10)
  by DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteIP
| where ConnectionCount >= BeaconMinConnections
| extend SpanMinutes = datetime_diff('minute', LastSeen, FirstSeen)
| where SpanMinutes > 10
| extend AvgIntervalMinutes = toreal(SpanMinutes) / toreal(ConnectionCount - 1)
| where AvgIntervalMinutes between (BeaconMinIntervalMin .. BeaconMaxIntervalMin)
| extend DetectionMethod = "BeaconingPattern"
| project FirstSeen, LastSeen, DeviceName, AccountName = "",
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         RemoteIP, RemotePort = tostring(Ports),
         RemoteUrl = "",
         ThreatDescription = strcat("Beaconing: ", tostring(ConnectionCount), " connections over ", tostring(SpanMinutes), " min, avg interval ", round(AvgIntervalMinutes, 1), " min"),
         ThreatType = "C2-Beacon",
         DetectionMethod
| project-rename Timestamp = FirstSeen;
// Union all branches
union TIIPHits, TIDomainHits, BeaconingHosts
| sort by Timestamp desc

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Microsoft Defender for Endpoint Microsoft Sentinel Threat Intelligence

Required Tables

DeviceNetworkEvents ThreatIntelligenceIndicator

False Positives

Legitimate software update services or CDN endpoints that have been flagged as TI hits due to shared IP space with previously malicious infrastructure
Monitoring and telemetry agents (Datadog, Dynatrace, Splunk UF, PRTG) that beacon home at regular intervals, triggering the beaconing pattern branch
Business applications with regular API polling (CRM sync, ERP integrations, health check daemons) creating periodic connection patterns that resemble C2 beaconing
Cloud provider metadata endpoints or service discovery mechanisms that appear as repeated connections to the same external IP
False TI hits from third-party threat feeds with low-quality indicators — particularly providers that add entire cloud provider IP ranges or CDN prefixes

Splunk

spl

| tstats summariesonly=false count AS connection_count, 
         earliest(_time) AS first_seen, 
         latest(_time) AS last_seen,
         values(All_Traffic.dest_port) AS dest_ports
  FROM datamodel=Network_Traffic.All_Traffic
  WHERE All_Traffic.direction="outbound"
  BY All_Traffic.src, All_Traffic.dest, All_Traffic.app, All_Traffic.user, _time span=1h
| `drop_dm_object_name("All_Traffic")`
| eval beacon_span_minutes = round((last_seen - first_seen) / 60, 1)
| eval avg_interval_minutes = if(connection_count > 1, round(beacon_span_minutes / (connection_count - 1), 2), null())
| eval is_beacon = if(connection_count >= 5 AND avg_interval_minutes >= 1 AND avg_interval_minutes <= 120 AND beacon_span_minutes > 10, 1, 0)
| lookup threat_intel_lookup ip AS dest OUTPUT threat_type, threat_confidence, threat_description
| eval is_ti_hit = if(isnotnull(threat_type) AND threat_confidence >= 50, 1, 0)
| eval detection_score = (is_beacon * 50) + (is_ti_hit * 80)
| eval detection_method = case(
    is_beacon=1 AND is_ti_hit=1, "ThreatIntel+BeaconingPattern",
    is_ti_hit=1, "ThreatIntel-IP",
    is_beacon=1, "BeaconingPattern",
    true(), "none")
| where detection_score > 0
| eval beacon_summary = if(is_beacon=1, 
    strcat(tostring(connection_count), " connections over ", tostring(beacon_span_minutes), " min, avg ", tostring(avg_interval_minutes), " min interval"),
    "N/A")
| table first_seen, last_seen, src, dest, dest_ports, app, user,
         connection_count, beacon_summary, is_beacon, is_ti_hit,
         threat_type, threat_confidence, threat_description,
         detection_score, detection_method
| sort - detection_score, - connection_count
| rename src AS source_host, dest AS destination_ip

high severity medium confidence

Data Sources

Network Traffic: Network Connection Creation Network Traffic: Network Traffic Flow Firewall Logs Proxy Logs

Required Sourcetypes

pan:traffic cisco:asa paloalto:firewall:traffic syslog

False Positives

Legitimate SaaS application endpoints that share IP space with threat intelligence indicators, particularly after CDN provider IP reassignment
Periodic telemetry agents and heartbeat processes (endpoint agents, SNMP polling, NTP clients) triggering false beaconing alerts at predictable intervals
CI/CD pipeline systems making regular outbound API calls to external artifact repositories, package registries, or webhook endpoints
Network scanning or inventory tools (Nessus, Qualys, PRTG) that make many connections to external IPs for asset discovery or uptime monitoring
Stale threat intel IOCs that remain in lookup tables after infrastructure reuse — an IP previously used for C2 may now serve legitimate content

Elastic Security (EQL)

eql

network where event.type == "connection_attempted"
  and network.direction == "outbound"
  and destination.port in (80, 443, 8080, 8443)
  and not destination.ip : ("10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*", "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*", "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*", "172.30.*", "172.31.*", "192.168.*", "127.*")
  and process.name : ("nslookup.exe", "powershell.exe", "cmd.exe", "python.exe", "python3")

high severity medium confidence

Data Sources

Elastic Endpoint Security Network events DNS events

Required Tables

logs-endpoint.events.network.* logs-dns.*

False Positives

Legitimate outbound connections to cloud hosting providers for business services
Security research teams connecting to VPS infrastructure for authorized testing
IT teams managing company-owned VPS or cloud instances
Developer connections to cloud-based development environments

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip, destinationip, destinationport,
  "CommandLine", "Image" AS Process,
  "DestinationHostname" AS RemoteHost,
  CASE
    WHEN COUNT(*) OVER (PARTITION BY sourceip, destinationip) >= 5 THEN 80
    WHEN destinationport IN (443, 8443, 4443) THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%nslookup%' OR "Image" ILIKE '%dig%' THEN 'DNS Reconnaissance'
    WHEN destinationport IN (443, 8443) THEN 'Encrypted C2 Candidate'
    ELSE 'Outbound Connection'
  END AS AlertType
FROM events
WHERE eventid = 3
  AND NOT destinationip INCIDR '10.0.0.0/8'
  AND NOT destinationip INCIDR '172.16.0.0/12'
  AND NOT destinationip INCIDR '192.168.0.0/16'
  AND destinationport IN (53, 80, 443, 8080, 8443, 4443)
  AND "Image" NOT ILIKE '%chrome%'
  AND "Image" NOT ILIKE '%firefox%'
  AND "Image" NOT ILIKE '%msedge%'
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 3 DNS logs

Required Tables

events

False Positives

Legitimate connections to cloud hosting providers for business services
Security researchers testing tools on authorized VPS infrastructure
IT teams managing company-owned remote servers
Developers connecting to cloud-based development environments

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*dns*
| json auto
| where EventCode = 3 or _sourceCategory matches "*dns*"
| where !matches(DestinationIp, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| eval ProcessName = lower(Image)
| where !matches(ProcessName, "chrome|firefox|msedge|outlook|teams")
| eval IsDNSRecon = if(matches(ProcessName, "nslookup|dig|host|dnsrecon"), "true", "false")
| eval RiskScore = if(IsDNSRecon = "true", 70,
    if(DestinationPort in ("443","8443","4443"), 60, 40))
| where RiskScore >= 60
| stats count AS ConnCount, values(DestinationIp) AS DestIPs, values(ProcessName) AS Processes by _sourceHost, User, DestinationPort
| sort by ConnCount desc

high severity medium confidence

Data Sources

Sysmon DNS logs

Required Tables

_sourceCategory=*sysmon* _sourceCategory=*dns*

False Positives

Legitimate business connections to cloud hosting and CDN providers
Authorized security testing against self-owned VPS infrastructure
Developer connections to cloud-based development or CI/CD environments
IT management connections to company-owned remote servers

Google Chronicle / SecOps

yaral

rule T1584_004_c2_infrastructure {
  meta:
    author = "Detection Engineering"
    description = "Detects potential C2 infrastructure activity and reconnaissance"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1584.004"
    reference = "https://attack.mitre.org/techniques/T1584/004/"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (443, 8443, 4443, 8080, 53)
    not re.regex($e.target.ip, `^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)`)
    re.regex($e.principal.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|nslookup|dig)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry DNS logs

Required Tables

NETWORK_CONNECTION DNS

False Positives

Legitimate business connections to cloud hosting providers
Security researchers accessing authorized VPS environments for testing
Development teams connecting to cloud-based build and test environments
IT administrators managing company-owned remote server infrastructure

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "NetworkConnectIP4"
| RemotePort in (443, 8443, 4443, 8080, 53)
| RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| ParentBaseFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|nslookup|python)/
| groupBy([aid, ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort], function=[count(as=ConnCount), min(timestamp, as=FirstSeen)])
| case {
    ConnCount >= 10 AND RemotePort = 53 => RiskScore := "High";
    ConnCount >= 5 => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ComputerName, ImageFileName, ParentBaseFileName, RemoteAddressIP4, RemotePort, ConnCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Network events DNS events

Required Tables

NetworkConnectIP4

False Positives

Legitimate outbound connections to CDN or hosting infrastructure used by business apps
Authorized security research or penetration testing against owned VPS infrastructure
Development and QA teams connecting to cloud-based test environments
IT operations managing company-owned remote server infrastructure

Compromise Infrastructure: Server

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections