Detect Compromise Infrastructure in Sumo Logic CSE
This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1584 Compromise Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1584/
Sumo Detection Query
// Part 1: Beaconing detection
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "3" OR EventID = "3"
| parse field=DestinationIp "*" as dest_ip
| parse field=DestinationPort "*" as dest_port
| parse field=Image "*" as process_name
| where dest_port in ("80","443","8080","8443","4443","4444","1080","3128")
| where !dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| where !process_name matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe|SenseIR\.exe)/
| timeslice 7d
| count as connection_count, pct(50, _messageTime) as median_time by Computer, dest_ip, dest_port, _timeslice
| where connection_count >= 20
| fields Computer, dest_ip, dest_port, connection_count
| "SuspiciousBeaconing" as alert_type
// Part 2: Dynamic DNS resolution
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "22" OR EventID = "22"
| parse field=QueryName "*" as queried_domain
| parse field=Image "*" as process_name
| where queried_domain matches /(?i)(duckdns\.org|no-ip\.com|hopto\.org|ddns\.net|servebeer\.com|myftp\.biz|redirectme\.net|zapto\.org|sytes\.net|myddns\.me|dynalias\.com)/
| count as query_count, values(Computer) as affected_hosts, values(process_name) as processes by queried_domain
| where query_count >= 1
| "SuspiciousDynamicDNS" as alert_type
| fields queried_domain, query_count, affected_hosts, processes, alert_type
// Part 3: Fast-flux detection
(_sourceCategory=*windows* OR _sourceCategory=*sysmon*)
| where EventCode = "3" OR EventID = "3"
| parse field=DestinationIp "*" as dest_ip
| parse field=Image "*" as process_name
| where !dest_ip matches /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
| where !process_name matches /(?i)(chrome\.exe|firefox\.exe|msedge\.exe|iexplore\.exe|MsMpEng\.exe|svchost\.exe)/
| timeslice 1h
| count as total_connections, dcount(dest_ip) as unique_dest_ips, values(process_name) as processes by Computer, _timeslice
| where unique_dest_ips >= 5 and total_connections >= 10
| "PotentialFastFlux" as alert_type
| fields Computer, _timeslice, unique_dest_ips, total_connections, processes, alert_typeDetects T1584 Compromise Infrastructure indicators in Sumo Logic using three sub-queries targeting Sysmon EventCode 3 (network connections) and EventCode 22 (DNS queries): beaconing via regular high-frequency connections, dynamic DNS provider resolution, and fast-flux activity via high unique destination IPs per hour per host.
Data Sources
Required Tables
False Positives & Tuning
- Security scanning tools performing port sweeps or vulnerability assessments creating fast-flux-like patterns
- Peer-to-peer software (legitimate torrent clients, VoIP) connecting to many unique IPs
- SaaS software with highly distributed CDN backends causing many unique IP resolutions
Other platforms for T1584
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate C2 Beaconing to Compromised VPS Infrastructure
Expected signal: Sysmon Event ID 3 (Network Connection) from powershell.exe to TARGET_IP on port 8080, firing at regular 30-second intervals. DeviceNetworkEvents in Defender for Endpoint will show repeated ConnectionSuccess events from PowerShell to the destination IP.
- Test 2DNS Resolution to Dynamic DNS Provider Domain
Expected signal: Sysmon Event ID 22 (DNS Query) entries for each domain in the $suspiciousDomains list. The Image field will show powershell.exe or the parent process. QueryName will contain the duckdns.org / ddns.net / hopto.org domains.
- Test 3Simulate Fast-Flux Connection Pattern from Non-Browser Process
Expected signal: Sysmon Event ID 3 (Network Connection) events from powershell.exe to 10+ distinct destination IPs on port 80, all occurring within a short time window. DeviceNetworkEvents will show ConnectionAttempt or ConnectionSuccess entries for each target IP.
References (8)
- https://attack.mitre.org/techniques/T1584/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://www.icann.org/en/blogs/details/the-domain-name-hijacking-threat-to-global-internet-security-21-1-2021-en
- https://blog.talosintelligence.com/dnspionage-campaign-targets-middle-east/
- https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
- https://www.volexity.com/blog/2025/01/17/volttzite-targets-nato-member-using-nearest-neighbor-attack-via-compromised-infrastructure/
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a
- https://sysdig.com/blog/proxyjacking-attackers-hijack-bandwidth/
Unlock Pro Content
Get the full detection package for T1584 including response playbook, investigation guide, and atomic red team tests.