Detect Compromise Infrastructure: Server in Splunk
Adversaries may compromise third-party servers to stage, launch, and execute operations. Rather than purchasing dedicated infrastructure, threat actors hijack legitimate servers — including web servers, mail servers, and application servers — to host malware, serve as command-and-control nodes, support phishing campaigns, or enable watering hole attacks. Because the compromised servers are legitimately owned by third parties, traffic to and from them may blend in with normal business activity. Real-world examples include Lazarus Group staging malware on compromised servers, Volt Typhoon using compromised PRTG monitoring servers for C2, Sandworm compromising EXIM mail servers for campaign infrastructure, and Dragonfly leveraging legitimate websites to host C2 and malware modules.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Sub-technique
- T1584.004 Server
- Canonical reference
- https://attack.mitre.org/techniques/T1584/004/
SPL Detection Query
| tstats summariesonly=false count AS connection_count,
earliest(_time) AS first_seen,
latest(_time) AS last_seen,
values(All_Traffic.dest_port) AS dest_ports
FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.direction="outbound"
BY All_Traffic.src, All_Traffic.dest, All_Traffic.app, All_Traffic.user, _time span=1h
| `drop_dm_object_name("All_Traffic")`
| eval beacon_span_minutes = round((last_seen - first_seen) / 60, 1)
| eval avg_interval_minutes = if(connection_count > 1, round(beacon_span_minutes / (connection_count - 1), 2), null())
| eval is_beacon = if(connection_count >= 5 AND avg_interval_minutes >= 1 AND avg_interval_minutes <= 120 AND beacon_span_minutes > 10, 1, 0)
| lookup threat_intel_lookup ip AS dest OUTPUT threat_type, threat_confidence, threat_description
| eval is_ti_hit = if(isnotnull(threat_type) AND threat_confidence >= 50, 1, 0)
| eval detection_score = (is_beacon * 50) + (is_ti_hit * 80)
| eval detection_method = case(
is_beacon=1 AND is_ti_hit=1, "ThreatIntel+BeaconingPattern",
is_ti_hit=1, "ThreatIntel-IP",
is_beacon=1, "BeaconingPattern",
true(), "none")
| where detection_score > 0
| eval beacon_summary = if(is_beacon=1,
strcat(tostring(connection_count), " connections over ", tostring(beacon_span_minutes), " min, avg ", tostring(avg_interval_minutes), " min interval"),
"N/A")
| table first_seen, last_seen, src, dest, dest_ports, app, user,
connection_count, beacon_summary, is_beacon, is_ti_hit,
threat_type, threat_confidence, threat_description,
detection_score, detection_method
| sort - detection_score, - connection_count
| rename src AS source_host, dest AS destination_ipSplunk detection using the Network Traffic data model (CIM-compliant) to identify connections to potentially compromised server infrastructure. Uses tstats for performance on large datasets. Performs dual analysis: (1) threat intelligence lookup against a populated threat_intel_lookup KV Store or lookup table containing known compromised server IPs with confidence scores, and (2) beaconing pattern detection using statistical interval analysis on hourly connection bucketing. A composite detection_score is computed — TI hits score 80, beaconing patterns score 50, and overlapping evidence scores 130. Requires Network Traffic data model acceleration and a populated threat_intel_lookup (can be sourced from MISP, ThreatConnect, Recorded Future, or manual IOC lists). Adjust the beacon thresholds (5 connections, 1-120 min interval) based on environment baseline.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate SaaS application endpoints that share IP space with threat intelligence indicators, particularly after CDN provider IP reassignment
- Periodic telemetry agents and heartbeat processes (endpoint agents, SNMP polling, NTP clients) triggering false beaconing alerts at predictable intervals
- CI/CD pipeline systems making regular outbound API calls to external artifact repositories, package registries, or webhook endpoints
- Network scanning or inventory tools (Nessus, Qualys, PRTG) that make many connections to external IPs for asset discovery or uptime monitoring
- Stale threat intel IOCs that remain in lookup tables after infrastructure reuse — an IP previously used for C2 may now serve legitimate content
Other platforms for T1584.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated C2 Beaconing to External IP via PowerShell
Expected signal: Sysmon Event ID 3 (Network Connection): 10 separate connection events from powershell.exe to httpbin.org IP (public), port 80. Each event records SourceIp, DestinationIp=httpbin.org resolved IP, DestinationPort=80, Image=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe. Sysmon Event ID 22 (DNS Query): DNS lookup for httpbin.org. DeviceNetworkEvents in MDE: 10 ConnectionSuccess events from powershell.exe to same RemoteIP over 5 minutes, enabling beaconing pattern detection.
- Test 2DNS Resolution of Known C2 Domain Infrastructure
Expected signal: Sysmon Event ID 22 (DNS Query): three DnsQueryStatus events with QueryName set to each test domain, Image=C:\Windows\System32\nslookup.exe or the calling process. Windows DNS Client Event Log (Microsoft-Windows-DNS-Client/Operational) Event ID 3008 may also capture these queries. DeviceEvents table in MDE with ActionType=DnsQueryResponse if DNS monitoring is enabled.
- Test 3Outbound Connection to TI-Flagged IP via curl
Expected signal: Sysmon Event ID 3 (Network Connection): connection attempts from curl.exe to 127.0.0.1 on ports 4444 and 8443 — ports commonly used by Cobalt Strike, Metasploit, and other C2 frameworks. DeviceNetworkEvents: RemoteIP=127.0.0.1, RemotePort=4444 and 8443, InitiatingProcessFileName=curl.exe. In a real test with a routable TI-flagged IP, the RemoteIPType would be Public and the ThreatIntelligenceIndicator join would match.
- Test 4Linux C2 Beacon Simulation via curl Loop
Expected signal: Linux auditd: SYSCALL records for connect() and socket() system calls initiated by curl, capturing destination IP and port. Syslog: if curl failures logged, entries in /var/log/syslog. Network flow logs: 8 TCP connection records to httpbin.org IP on port 80 from the source host, each ~15 seconds apart. CEF/Syslog from perimeter firewall: session records for each connection. If osquery is deployed, the process_open_sockets or process_events table captures each connection.
References (10)
- https://attack.mitre.org/techniques/T1584/004/
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf
- https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
- https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/
- https://threatconnect.com/blog/infrastructure-research-hunting/
- https://www.secureworks.com/research/bronze-silhouette
- https://media.defense.gov/2020/Feb/20/2002315240/-1/-1/0/CSA-Sandworm-Actors-Exploiting-Vulnerability-in-Exim-Transfer-Agent-20200520.PDF
- https://learn.microsoft.com/en-us/azure/sentinel/understand-threat-intelligence
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicenetworkevents-table
- https://docs.splunk.com/Documentation/CIM/latest/User/NetworkTraffic
Unlock Pro Content
Get the full detection package for T1584.004 including response playbook, investigation guide, and atomic red team tests.