Detect Compromise Infrastructure in CrowdStrike LogScale
This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1584/
LogScale Detection Query
// Part 1: Beaconing from non-browser processes
#event_simpleName = NetworkConnectIP4
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
| RemotePort in [80, 443, 8080, 8443, 4443, 4444, 1080, 3128]
| !match(field=ImageFileName, values=["*chrome.exe", "*firefox.exe", "*msedge.exe", "*iexplore.exe", "*MsMpEng.exe", "*svchost.exe", "*SenseIR.exe"])
| groupBy([ComputerName, RemoteAddressIP4, RemotePort, ImageFileName], function=[
count(as=connection_count),
min(timestamp, as=first_seen),
max(timestamp, as=last_seen)
])
| eval duration_hours := (last_seen - first_seen) / 3600000
| where duration_hours > 1
| eval beacon_rate := connection_count / duration_hours
| where connection_count >= 20
| where beacon_rate >= 0.5 AND beacon_rate <= 200.0
| eval alert_type := "SuspiciousBeaconing"
| table [ComputerName, RemoteAddressIP4, RemotePort, ImageFileName, connection_count, beacon_rate, duration_hours, alert_type]
| sort(first_seen, order=desc)
// Part 2: Dynamic DNS resolutions
#event_simpleName = DnsRequest
| match(field=DomainName, regex="(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch)")
| groupBy([DomainName], function=[
count(as=query_count),
count(ComputerName, distinct=true, as=unique_hosts),
collect(ComputerName, as=affected_hosts),
collect(ContextImageFileName, as=processes)
])
| eval alert_type := "SuspiciousDynamicDNSResolution"
| table [DomainName, query_count, unique_hosts, affected_hosts, processes, alert_type]
// Part 3: Fast-flux / high unique destination IPs
#event_simpleName = NetworkConnectIP4
| !cidrMatch(field=RemoteAddressIP4, subnet=["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8"])
| !match(field=ImageFileName, values=["*chrome.exe", "*firefox.exe", "*msedge.exe", "*iexplore.exe", "*MsMpEng.exe", "*svchost.exe"])
| bucket(field=timestamp, span=1h, as=time_bucket)
| groupBy([ComputerName, ImageFileName, time_bucket], function=[
count(RemoteAddressIP4, distinct=true, as=unique_dest_ips),
count(as=total_connections),
collect(ImageFileName, as=process_list)
])
| where unique_dest_ips >= 5 AND total_connections >= 10
| eval alert_type := "PotentialFastFlux"
| table [ComputerName, ImageFileName, time_bucket, unique_dest_ips, total_connections, alert_type]
| sort(time_bucket, order=desc)Three CrowdStrike LogScale (CQL) queries detecting T1584 Compromise Infrastructure using Falcon telemetry: (1) C2 beaconing via regular high-frequency NetworkConnectIP4 events from non-browser processes to common C2 ports, (2) DnsRequest events for known dynamic DNS providers used in compromised infrastructure campaigns, and (3) fast-flux detection via high unique destination IP counts per process per hour.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensor itself or other EDR tools generating high-frequency network connections during scans
- Legitimate software using dynamic DNS for development or testing (e.g., dev environments with personal DDNS)
- VPN client software or proxy tools connecting to many IPs during setup or rotation
Other platforms for T1584
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing to Compromised VPS Infrastructure
Expected signal: Sysmon Event ID 3 (Network Connection) from powershell.exe to TARGET_IP on port 8080, firing at regular 30-second intervals. DeviceNetworkEvents in Defender for Endpoint will show repeated ConnectionSuccess events from PowerShell to the destination IP.
- Test 2DNS Resolution to Dynamic DNS Provider Domain
Expected signal: Sysmon Event ID 22 (DNS Query) entries for each domain in the $suspiciousDomains list. The Image field will show powershell.exe or the parent process. QueryName will contain the duckdns.org / ddns.net / hopto.org domains.
- Test 3Simulate Fast-Flux Connection Pattern from Non-Browser Process
Expected signal: Sysmon Event ID 3 (Network Connection) events from powershell.exe to 10+ distinct destination IPs on port 80, all occurring within a short time window. DeviceNetworkEvents will show ConnectionAttempt or ConnectionSuccess entries for each target IP.
References (8)
- https://attack.mitre.org/techniques/T1584/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.icann.org/en/blogs/details/the-domain-name-hijacking-threat-to-global-internet-security-21-1-2021-en
- https://blog.talosintelligence.com/dnspionage-campaign-targets-middle-east/
- https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
- https://www.volexity.com/blog/2025/01/17/volttzite-targets-nato-member-using-nearest-neighbor-attack-via-compromised-infrastructure/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a
- https://sysdig.com/blog/proxyjacking-attackers-hijack-bandwidth/
Unlock Pro Content
Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.