Detect Compromise Infrastructure in Splunk
This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1584/
SPL Detection Query
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="stream:dns" OR sourcetype="stream:tcp")
| eval _time=strptime(UtcTime, "%Y-%m-%d %H:%M:%S.%3N")
| eval earliest_time=relative_time(now(), "-7d@d")
| where _time >= earliest_time
(
[
| search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_ip=DestinationIp, dest_port=DestinationPort, process=Image
| where NOT match(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|fd)")
| where dest_port IN (80, 443, 4444, 4443, 8080, 8443, 1080, 3128, 9001, 9030)
| where NOT match(process, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe|SenseIR\.exe)")
| stats count AS connection_count, dc(dest_ip) AS unique_ips, values(process) AS processes, min(_time) AS first_seen, max(_time) AS last_seen by Computer, dest_ip
| where connection_count >= 20
| eval duration_hours=round((last_seen - first_seen) / 3600, 2)
| where duration_hours > 1
| eval beacon_rate=round(connection_count / duration_hours, 2)
| where beacon_rate > 0.5 AND beacon_rate < 200
| eval alert_type="SuspiciousBeaconing"
| table _time, Computer, dest_ip, connection_count, unique_ips, processes, beacon_rate, duration_hours, alert_type
]
OR
[
| search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval queried_domain=QueryName, process=Image
| where match(queried_domain, "(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com|chickenkiller\.com|gotdns\.ch|crabdance\.com|ignorelist\.com)")
| stats count AS query_count, dc(Computer) AS unique_hosts, values(process) AS processes, values(Computer) AS affected_hosts by queried_domain
| where query_count >= 1
| eval alert_type="SuspiciousDynamicDNSResolution"
| eval _time=now()
| table _time, queried_domain, query_count, unique_hosts, processes, affected_hosts, alert_type
]
OR
[
| search sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
| eval dest_ip=DestinationIp, process=Image, src_host=Computer
| where NOT match(dest_ip, "^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)")
| where NOT match(process, "(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)")
| bin _time span=1h
| stats dc(dest_ip) AS unique_dest_ips, count AS total_connections, values(process) AS processes by src_host, _time
| where unique_dest_ips >= 10 AND total_connections >= 20
| eval alert_type="PotentialFastFluxOrBotnetActivity"
| table _time, src_host, unique_dest_ips, total_connections, processes, alert_type
]
)
| sort - _timeThree-branch SPL detection using Sysmon Event ID 3 (Network Connection) and Event ID 22 (DNS Query): detects regular beaconing from non-browser processes to external IPs, DNS resolutions to dynamic DNS providers commonly used to re-point compromised infrastructure, and fast-flux-like behavior indicative of botnet or proxy network abuse through hijacked hosts.
Data Sources
Required Sourcetypes
False Positives & Tuning
- RMM agents (ConnectWise, Kaseya, Datto) making frequent connections to cloud-hosted management infrastructure
- Developers using dynamic DNS services (e.g., duckdns.org) for personal project hosting or lab environments
- Software update checkers, game launchers, or peer-to-peer applications that connect to many distinct IPs over short periods
- Security tools performing threat intelligence lookups or sandbox detonation queries against diverse external endpoints
- VPN concentrators or split-tunnel clients that route through cloud hosting IPs matching ASN-based filters
Other platforms for T1584
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing to Compromised VPS Infrastructure
Expected signal: Sysmon Event ID 3 (Network Connection) from powershell.exe to TARGET_IP on port 8080, firing at regular 30-second intervals. DeviceNetworkEvents in Defender for Endpoint will show repeated ConnectionSuccess events from PowerShell to the destination IP.
- Test 2DNS Resolution to Dynamic DNS Provider Domain
Expected signal: Sysmon Event ID 22 (DNS Query) entries for each domain in the $suspiciousDomains list. The Image field will show powershell.exe or the parent process. QueryName will contain the duckdns.org / ddns.net / hopto.org domains.
- Test 3Simulate Fast-Flux Connection Pattern from Non-Browser Process
Expected signal: Sysmon Event ID 3 (Network Connection) events from powershell.exe to 10+ distinct destination IPs on port 80, all occurring within a short time window. DeviceNetworkEvents will show ConnectionAttempt or ConnectionSuccess entries for each target IP.
References (8)
- https://attack.mitre.org/techniques/T1584/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.icann.org/en/blogs/details/the-domain-name-hijacking-threat-to-global-internet-security-21-1-2021-en
- https://blog.talosintelligence.com/dnspionage-campaign-targets-middle-east/
- https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
- https://www.volexity.com/blog/2025/01/17/volttzite-targets-nato-member-using-nearest-neighbor-attack-via-compromised-infrastructure/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a
- https://sysdig.com/blog/proxyjacking-attackers-hijack-bandwidth/
Unlock Pro Content
Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.