Detect Compromise Infrastructure: Server in IBM QRadar
Adversaries may compromise third-party servers to stage, launch, and execute operations. Rather than purchasing dedicated infrastructure, threat actors hijack legitimate servers — including web servers, mail servers, and application servers — to host malware, serve as command-and-control nodes, support phishing campaigns, or enable watering hole attacks. Because the compromised servers are legitimately owned by third parties, traffic to and from them may blend in with normal business activity. Real-world examples include Lazarus Group staging malware on compromised servers, Volt Typhoon using compromised PRTG monitoring servers for C2, Sandworm compromising EXIM mail servers for campaign infrastructure, and Dragonfly leveraging legitimate websites to host C2 and malware modules.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.004 Server
- Canonical reference
- https://attack.mitre.org/techniques/T1584/004/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip, destinationip, destinationport,
"CommandLine", "Image" AS Process,
"DestinationHostname" AS RemoteHost,
CASE
WHEN COUNT(*) OVER (PARTITION BY sourceip, destinationip) >= 5 THEN 80
WHEN destinationport IN (443, 8443, 4443) THEN 60
ELSE 40
END AS RiskScore,
CASE
WHEN "Image" ILIKE '%nslookup%' OR "Image" ILIKE '%dig%' THEN 'DNS Reconnaissance'
WHEN destinationport IN (443, 8443) THEN 'Encrypted C2 Candidate'
ELSE 'Outbound Connection'
END AS AlertType
FROM events
WHERE eventid = 3
AND NOT destinationip INCIDR '10.0.0.0/8'
AND NOT destinationip INCIDR '172.16.0.0/12'
AND NOT destinationip INCIDR '192.168.0.0/16'
AND destinationport IN (53, 80, 443, 8080, 8443, 4443)
AND "Image" NOT ILIKE '%chrome%'
AND "Image" NOT ILIKE '%firefox%'
AND "Image" NOT ILIKE '%msedge%'
AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURSQRadar AQL detection for Compromise Infrastructure: Server. Three-branch detection for T1584.004 using Microsoft Sentinel. Branch 1 correlates outbound DeviceNetworkEvents against active threat intelligence IP indicators (ThreatIntelligenceIndicator table, con
Data Sources
Required Tables
False Positives & Tuning
- Legitimate connections to cloud hosting providers for business services
- Security researchers testing tools on authorized VPS infrastructure
- IT teams managing company-owned remote servers
- Developers connecting to cloud-based development environments
Other platforms for T1584.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated C2 Beaconing to External IP via PowerShell
Expected signal: Sysmon Event ID 3 (Network Connection): 10 separate connection events from powershell.exe to httpbin.org IP (public), port 80. Each event records SourceIp, DestinationIp=httpbin.org resolved IP, DestinationPort=80, Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. Sysmon Event ID 22 (DNS Query): DNS lookup for httpbin.org. DeviceNetworkEvents in MDE: 10 ConnectionSuccess events from powershell.exe to same RemoteIP over 5 minutes, enabling beaconing pattern detection.
- Test 2DNS Resolution of Known C2 Domain Infrastructure
Expected signal: Sysmon Event ID 22 (DNS Query): three DnsQueryStatus events with QueryName set to each test domain, Image=C:\Windows\System32\nslookup.exe or the calling process. Windows DNS Client Event Log (Microsoft-Windows-DNS-Client/Operational) Event ID 3008 may also capture these queries. DeviceEvents table in MDE with ActionType=DnsQueryResponse if DNS monitoring is enabled.
- Test 3Outbound Connection to TI-Flagged IP via curl
Expected signal: Sysmon Event ID 3 (Network Connection): connection attempts from curl.exe to 127.0.0.1 on ports 4444 and 8443 — ports commonly used by Cobalt Strike, Metasploit, and other C2 frameworks. DeviceNetworkEvents: RemoteIP=127.0.0.1, RemotePort=4444 and 8443, InitiatingProcessFileName=curl.exe. In a real test with a routable TI-flagged IP, the RemoteIPType would be Public and the ThreatIntelligenceIndicator join would match.
- Test 4Linux C2 Beacon Simulation via curl Loop
Expected signal: Linux auditd: SYSCALL records for connect() and socket() system calls initiated by curl, capturing destination IP and port. Syslog: if curl failures logged, entries in /var/log/syslog. Network flow logs: 8 TCP connection records to httpbin.org IP on port 80 from the source host, each ~15 seconds apart. CEF/Syslog from perimeter firewall: session records for each connection. If osquery is deployed, the process_open_sockets or process_events table captures each connection.
References (10)
- https://attack.mitre.org/techniques/T1584/004/
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf
- https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
- https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/
- https://threatconnect.com/blog/infrastructure-research-hunting/
- https://www.secureworks.com/research/bronze-silhouette
- https://media.defense.gov/2020/Feb/20/2002315240/-1/-1/0/CSA-Sandworm-Actors-Exploiting-Vulnerability-in-Exim-Transfer-Agent-20200520.PDF
- https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic
Unlock Pro Content
Get the full detection package for T1584.004 including response playbook, investigation guide, and atomic red team tests.