Which SIEM platforms have a T1665 detection rule?

df00tech provides T1665 (Hide Infrastructure) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Hide Infrastructure (T1665)?

Detecting Hide Infrastructure requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1665 detection?

The T1665 detection is rated high severity with medium confidence.

What are common false positives for T1665?

Common false positives for T1665 include: Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution; IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming; URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based.

T1665: Hide Infrastructure — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "bitsadmin.exe", "certutil.exe", "curl.exe", "wget.exe"]);
let LegitCDNSuffixes = dynamic(["akamaized.net", "akamai.net", "cloudfront.net", "amazonaws.com", "cloudflare.com", "azureedge.net", "fastly.net", "cdn.microsoft.com"]);
let URLShorteners = dynamic(["bit.ly", "tinyurl.com", "t.co", "ow.ly", "short.io", "rebrand.ly", "cutt.ly", "is.gd", "buff.ly"]);
// Branch 1: Typosquatted CDN/cloud domain DNS queries from suspicious processes
let Branch1 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| extend DomainLower = tolower(RemoteUrl)
| where (
    DomainLower matches regex @"(amaz0n|m1crosoft|g00gle|g0ogle|akama1|cloudfl4re|cdnn\.|c1oudfront|fastIy|micros0ft|arnazon)" or
    (DomainLower has_any ("akamai", "cloudfront", "amazonaws", "fastly", "azureedge") and not(DomainLower has_any (LegitCDNSuffixes)))
  )
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend DetectionBranch = "TyposquattedCDN"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, DetectionBranch;
// Branch 2: Suspicious process connecting through URL shortener/redirect service
let Branch2 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| where RemoteUrl has_any (URLShorteners)
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend DetectionBranch = "URLShortenerC2"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, DetectionBranch;
// Branch 3: High-frequency beaconing to same IP from scripting engine (interval-based C2 pattern)
let Branch3 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| where RemoteIPType == "Public"
| summarize ConnectionCount = count(), DistinctPorts = dcount(RemotePort), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleUrl = any(RemoteUrl) by DeviceName, RemoteIP, InitiatingProcessFileName
| where ConnectionCount >= 20 and DistinctPorts <= 2
| extend BeaconDuration = datetime_diff('minute', LastSeen, FirstSeen)
| where BeaconDuration > 30
| extend DetectionBranch = "BeaconingPattern"
| project FirstSeen, DeviceName, InitiatingProcessFileName, RemoteIP, SampleUrl, ConnectionCount, BeaconDuration, DetectionBranch;
union Branch1, Branch2, Branch3
| sort by TimeGenerated desc

Detects three patterns of C2 infrastructure hiding: (1) connections to typosquatted or lookalike CDN/cloud domains initiated by suspicious scripting processes, (2) suspicious processes communicating through URL shortener redirect chains, and (3) high-frequency beaconing from scripting engines to a single public IP suggesting interval-based C2 check-in. Covers DarkGate CDN masquerading, APT29 residential proxy patterns, and generic staging redirector abuse.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based
Security scanning tools or red team infrastructure that intentionally mimic CDN domains for authorized testing
High-frequency health checks from monitoring agents to a fixed endpoint that produce beaconing-like patterns

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval domain=lower(QueryName)
| eval is_typosquat=if(match(domain, "(amaz0n|m1crosoft|g00gle|g0ogle|akama1|cloudfl4re|c1oudfront|fastly\\.\\w{3,6}\\.com|arnazon)"), 1, 0)
| eval looks_like_cdn=if(match(domain, "(akamai|cloudfront|amazonaws|fastly|azureedge|cloudflare)") AND NOT match(domain, "(\\.akamaized\\.net|\\.akamai\\.net|\\.cloudfront\\.net|\\.amazonaws\\.com|\\.cloudflare\\.com|\\.azureedge\\.net|\\.fastly\\.net)"), 1, 0)
| eval is_url_shortener=if(match(domain, "(bit\\.ly|tinyurl\\.com|t\\.co|ow\\.ly|short\\.io|rebrand\\.ly|cutt\\.ly|is\\.gd|buff\\.ly)"), 1, 0)
| eval suspicious_proc=if(match(lower(Image), "(powershell|cmd\\.exe|wscript|cscript|mshta|regsvr32|rundll32|bitsadmin|certutil|curl\\.exe|wget\\.exe)"), 1, 0)
| where (is_typosquat=1) OR (looks_like_cdn=1 AND suspicious_proc=1) OR (is_url_shortener=1 AND suspicious_proc=1)
| eval risk_score=case(is_typosquat=1 AND suspicious_proc=1, 95, is_typosquat=1, 75, is_url_shortener=1 AND suspicious_proc=1, 70, looks_like_cdn=1 AND suspicious_proc=1, 65, true(), 40)
| eval detection_type=case(is_typosquat=1, "TyposquattedCDNDomain", is_url_shortener=1, "URLShortenerC2", looks_like_cdn=1, "CDNMasquerading", true(), "Unknown")
| stats count as query_count, max(risk_score) as max_risk, values(QueryName) as queried_domains, values(Image) as processes, values(detection_type) as alert_types, min(_time) as first_seen, max(_time) as last_seen by ComputerName, User
| where query_count >= 1 AND max_risk >= 65
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk
| table ComputerName, User, processes, queried_domains, alert_types, query_count, max_risk, first_seen, last_seen

Uses Sysmon Event ID 22 (DNS query) to detect three C2 infrastructure hiding patterns: typosquatted CDN/cloud provider domains, legitimate CDN lookalike domains queried by suspicious scripting processes, and URL shortener domains queried by interpreter processes. Assigns risk scores and detection type labels to prioritize analyst triage.

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate PowerShell scripts that programmatically resolve CDN hostnames for health checks or deployment validation
Browser automation or testing frameworks running under cmd.exe or scripting hosts that access URL shorteners for link testing
Security awareness training platforms that use URL shorteners to track click-through rates in phishing simulations
Developer toolchains that use URL shorteners in documentation or configuration files fetched during build processes
Managed antivirus or EDR agents that query cloud provider domains with non-standard hostname patterns for updates

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1665*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

Elastic EQL detection for Hide Infrastructure (T1665). Identifies hide infrastructure activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

IBM QRadar AQL detection for Hide Infrastructure (T1665). Queries QRadar event pipeline for indicators consistent with hide infrastructure adversary techniques using MITRE ATT&CK-aligned event categorization.

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

Sumo Logic detection for Hide Infrastructure (T1665). Identifies adversary hide infrastructure behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

Google Chronicle / SecOps

yaral

rule detection_t1665 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Hide Infrastructure - T1665"
    severity = "HIGH"
    mitre_attack = "T1665"
    reference = "https://attack.mitre.org/techniques/T1665/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for detecting Hide Infrastructure (T1665). Uses Chronicle UDM event model to identify hide infrastructure behaviors across endpoint and cloud telemetry.

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

CrowdStrike LogScale CQL detection for Hide Infrastructure (T1665). Queries Falcon telemetry for hide infrastructure behavioral indicators aligned with MITRE ATT&CK T1665.

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

Hide Infrastructure

What is T1665 Hide Infrastructure?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1665

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Command and Control

Popular Detections

What is T1665 Hide Infrastructure?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1665

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Command and Control

Popular Detections

Get new detections in your inbox