T1584 IBM QRadar · QRadar

Detect Compromise Infrastructure in IBM QRadar

This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1584 Compromise Infrastructure
Canonical reference
https://attack.mitre.org/techniques/T1584/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Part 1: Beaconing - high frequency connections to same dest IP from non-browser process
SELECT
  DATEFORMAT(MIN(starttime), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(MAX(starttime), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS connection_count,
  (MAX(starttime) - MIN(starttime)) / 3600000 AS duration_hours,
  ROUND(COUNT(*) / NULLIF((MAX(starttime) - MIN(starttime)) / 3600000, 0), 2) AS beacon_rate,
  'SuspiciousBeaconing' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND destinationport IN (80, 443, 8080, 8443, 4443, 4444, 1080, 3128)
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '192.168.%' OR destinationip = '127.0.0.1')
  AND username NOT ILIKE '%chrome%'
  AND username NOT ILIKE '%firefox%'
GROUP BY sourceip, destinationip, destinationport
HAVING connection_count >= 20
  AND duration_hours > 1
  AND beacon_rate BETWEEN 0.5 AND 200.0

UNION ALL

-- Part 2: Dynamic DNS resolutions
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  destinationip,
  destinationport,
  COUNT(*) AS connection_count,
  0 AS duration_hours,
  0 AS beacon_rate,
  'SuspiciousDynamicDNS' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND (LOWER(URL) ILIKE '%duckdns.org%'
    OR LOWER(URL) ILIKE '%no-ip.com%'
    OR LOWER(URL) ILIKE '%hopto.org%'
    OR LOWER(URL) ILIKE '%ddns.net%'
    OR LOWER(URL) ILIKE '%zapto.org%'
    OR LOWER(URL) ILIKE '%sytes.net%'
    OR LOWER(URL) ILIKE '%myddns.me%'
    OR LOWER(URL) ILIKE '%dynalias.com%')
GROUP BY starttime, sourceip, destinationip, destinationport
HAVING connection_count >= 1

UNION ALL

-- Part 3: Fast-flux / high unique destination IPs per source per hour
SELECT
  DATEFORMAT(TRUNC(starttime, 'HH'), 'YYYY-MM-dd HH:mm:ss') AS first_seen,
  DATEFORMAT(TRUNC(starttime, 'HH'), 'YYYY-MM-dd HH:mm:ss') AS last_seen,
  sourceip,
  'multiple' AS destinationip,
  0 AS destinationport,
  COUNT(*) AS connection_count,
  1 AS duration_hours,
  0 AS beacon_rate,
  'PotentialFastFlux' AS alert_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 604800000
  AND NOT (destinationip ILIKE '10.%' OR destinationip ILIKE '172.16.%' OR destinationip ILIKE '192.168.%')
GROUP BY sourceip, TRUNC(starttime, 'HH')
HAVING UNIQUECOUNT(destinationip) >= 5 AND connection_count >= 10

ORDER BY first_seen DESC
high severity medium confidence

Detects T1584 Compromise Infrastructure using three AQL queries unioned: (1) beaconing via high-frequency regular connections to the same destination IP from non-browser processes, (2) DNS resolutions or connections to known dynamic DNS providers abused for C2, and (3) fast-flux indicators via high unique destination IP counts per source per hour.

Data Sources

QRadar Windows Security Event Log DSMQRadar Sysmon DSMQRadar DNS DSMQRadar Network Activity (flows)

Required Tables

eventsflows

False Positives & Tuning

  • Automated software update mechanisms making frequent connections to CDN endpoints
  • IT management tools (RMM software) that legitimately connect to cloud management infrastructure at high frequency
  • Developers using dynamic DNS providers for legitimate home or lab infrastructure testing
Download portable Sigma rule (.yml)

Other platforms for T1584

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate C2 Beaconing to Compromised VPS Infrastructure

    Expected signal: Sysmon Event ID 3 (Network Connection) from powershell.exe to TARGET_IP on port 8080, firing at regular 30-second intervals. DeviceNetworkEvents in Defender for Endpoint will show repeated ConnectionSuccess events from PowerShell to the destination IP.

  2. Test 2DNS Resolution to Dynamic DNS Provider Domain

    Expected signal: Sysmon Event ID 22 (DNS Query) entries for each domain in the $suspiciousDomains list. The Image field will show powershell.exe or the parent process. QueryName will contain the duckdns.org / ddns.net / hopto.org domains.

  3. Test 3Simulate Fast-Flux Connection Pattern from Non-Browser Process

    Expected signal: Sysmon Event ID 3 (Network Connection) events from powershell.exe to 10+ distinct destination IPs on port 80, all occurring within a short time window. DeviceNetworkEvents will show ConnectionAttempt or ConnectionSuccess entries for each target IP.

Last updated: 2026-04-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (8)

Related Techniques

T1583Acquire InfrastructureT1566PhishingT1090ProxyT1071Application Layer ProtocolT1584.001Compromise Infrastructure: DomainsT1584.002DNS ServerT1584.005BotnetT1588.004Digital CertificatesT1595Active Scanning

Same Tactic: Resource Development

Popular Detections