T1584 Google Chronicle · YARA-L

Detect Compromise Infrastructure in Google Chronicle

This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Canonical reference
https://attack.mitre.org/techniques/T1584/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1584_compromise_infrastructure_beaconing {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects potential C2 beaconing via compromised third-party infrastructure (T1584). Identifies high-frequency regular connections from non-browser processes to external IPs on common C2 ports."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "HIGH"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    $e.network.direction = "OUTBOUND"
    $e.target.port in (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|safari|opera\.exe|brave\.exe|svchost\.exe|MsMpEng\.exe)`)
    $e.principal.hostname = $hostname
    $e.target.ip = $dest_ip

  match:
    $hostname, $dest_ip over 1h

  outcome:
    $connection_count = count_distinct($e.metadata.id)
    $sample_processes = array_distinct($e.principal.process.file.full_path)
    $dest_ports = array_distinct($e.target.port)

  condition:
    #e >= 20
}

rule t1584_compromise_infrastructure_dynamic_dns {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects DNS lookups to dynamic DNS providers commonly used for compromised infrastructure C2 channels (T1584)."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_DNS"
    re.regex($e.network.dns.questions.name, `(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|serveftp\.com|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch)`)
    $e.principal.hostname = $hostname
    $e.network.dns.questions.name = $domain

  match:
    $hostname, $domain over 1h

  outcome:
    $query_count = count_distinct($e.metadata.id)
    $process_list = array_distinct($e.principal.process.file.full_path)

  condition:
    #e >= 1
}

rule t1584_compromise_infrastructure_fast_flux {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects fast-flux network behavior from non-browser processes — high count of unique destination IPs over a short period, consistent with botnet C2 via compromised infrastructure (T1584)."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1584"
    severity = "MEDIUM"
    confidence = "MEDIUM"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
    not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
    not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
    not re.regex($e.principal.process.file.full_path, `(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)`)
    $e.principal.hostname = $hostname
    $e.principal.process.file.full_path = $proc

  match:
    $hostname, $proc over 1h

  outcome:
    $unique_dest_ips = count_distinct($e.target.ip)
    $total_connections = count_distinct($e.metadata.id)
    $dest_ip_list = array_distinct($e.target.ip)

  condition:
    #e >= 10 and $unique_dest_ips >= 5
}
high severity medium confidence

Three Chronicle YARA-L 2.0 rules detecting T1584 Compromise Infrastructure: (1) C2 beaconing via high-frequency outbound connections from non-browser processes to common C2 ports, (2) DNS resolutions to known dynamic DNS providers used for compromised infrastructure C2, and (3) fast-flux activity via high unique destination IP counts from non-browser processes.

Data Sources

Chronicle UDM - Network EventsChronicle UDM - DNS EventsGoogle Workspace / Chrome EnterpriseWindows Event Forwarding to Chronicle

Required Tables

NETWORK_CONNECTION UDM eventsNETWORK_DNS UDM events

False Positives & Tuning

  • Legitimate use of dynamic DNS by developers or home lab operators for personal services
  • Network monitoring or asset inventory tools performing high-frequency scans to many IPs
  • Load-balanced cloud services with many backend IPs causing fast-flux-like DNS patterns
Download portable Sigma rule (.yml)

Other platforms for T1584

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate C2 Beaconing to Compromised VPS Infrastructure

    Expected signal: Sysmon Event ID 3 (Network Connection) from powershell.exe to TARGET_IP on port 8080, firing at regular 30-second intervals. DeviceNetworkEvents in Defender for Endpoint will show repeated ConnectionSuccess events from PowerShell to the destination IP.

  2. Test 2DNS Resolution to Dynamic DNS Provider Domain

    Expected signal: Sysmon Event ID 22 (DNS Query) entries for each domain in the $suspiciousDomains list. The Image field will show powershell.exe or the parent process. QueryName will contain the duckdns.org / ddns.net / hopto.org domains.

  3. Test 3Simulate Fast-Flux Connection Pattern from Non-Browser Process

    Expected signal: Sysmon Event ID 3 (Network Connection) events from powershell.exe to 10+ distinct destination IPs on port 80, all occurring within a short time window. DeviceNetworkEvents will show ConnectionAttempt or ConnectionSuccess entries for each target IP.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1583Acquire InfrastructureT1566PhishingT1090ProxyT1071Application Layer ProtocolT1584.001Compromise Infrastructure: DomainsT1584.002DNS ServerT1584.005BotnetT1588.004Digital CertificatesT1595Active Scanning

Same Tactic: Resource Development

Popular Detections