Detect Compromise Infrastructure in Elastic Security
This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1584/
Elastic Detection Query
// Part 1: Beaconing detection
sequence by host.id, destination.ip with maxspan=7d
[network where event.action in ("connection_attempted", "connection_accepted") and
destination.port in (80, 443, 8080, 8443, 4443, 4444, 1080, 3128) and
not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "safari", "opera.exe", "brave.exe", "svchost.exe", "MsMpEng.exe")] with runs=20
// Part 2: Dynamic DNS resolution
any where event.category == "network" and event.action == "lookup_requested" and
dns.question.name rlike "(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|serveftp\.com|zapto\.org|sytes\.net|myddns\.me|dynalias\.com)"
// Part 3: Fast-flux (high unique IPs per process per hour)
network where event.action == "connection_attempted" and
not cidr_match(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
not process.name in~ ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe", "MsMpEng.exe", "svchost.exe")
| stats count=count(), unique_ips=count_distinct(destination.ip) by host.name, process.name, @timestamp_bucket("1h")
| where unique_ips >= 5 and count >= 10Detects T1584 Compromise Infrastructure indicators: C2 beaconing patterns (regular high-frequency connections to non-browser processes), DNS resolutions to known dynamic DNS providers abused for compromised infrastructure, and fast-flux activity (high unique destination IPs per process per hour) using Elastic ECS network and DNS events.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software using dynamic DNS for home lab or developer environments (e.g., a developer testing a personal server on duckdns.org)
- Security tools and vulnerability scanners performing high-frequency connections to many IPs
- CDN-backed services or legitimate software updaters with many backend IPs that rotate frequently (fast-flux false positive)
Other platforms for T1584
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing to Compromised VPS Infrastructure
Expected signal: Sysmon Event ID 3 (Network Connection) from powershell.exe to TARGET_IP on port 8080, firing at regular 30-second intervals. DeviceNetworkEvents in Defender for Endpoint will show repeated ConnectionSuccess events from PowerShell to the destination IP.
- Test 2DNS Resolution to Dynamic DNS Provider Domain
Expected signal: Sysmon Event ID 22 (DNS Query) entries for each domain in the $suspiciousDomains list. The Image field will show powershell.exe or the parent process. QueryName will contain the duckdns.org / ddns.net / hopto.org domains.
- Test 3Simulate Fast-Flux Connection Pattern from Non-Browser Process
Expected signal: Sysmon Event ID 3 (Network Connection) events from powershell.exe to 10+ distinct destination IPs on port 80, all occurring within a short time window. DeviceNetworkEvents will show ConnectionAttempt or ConnectionSuccess entries for each target IP.
References (8)
- https://attack.mitre.org/techniques/T1584/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.icann.org/en/blogs/details/the-domain-name-hijacking-threat-to-global-internet-security-21-1-2021-en
- https://blog.talosintelligence.com/dnspionage-campaign-targets-middle-east/
- https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
- https://www.volexity.com/blog/2025/01/17/volttzite-targets-nato-member-using-nearest-neighbor-attack-via-compromised-infrastructure/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a
- https://sysdig.com/blog/proxyjacking-attackers-hijack-bandwidth/
Unlock Pro Content
Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.