T1665 Hide Infrastructure Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "bitsadmin.exe", "certutil.exe", "curl.exe", "wget.exe"]);
let LegitCDNSuffixes = dynamic(["akamaized.net", "akamai.net", "cloudfront.net", "amazonaws.com", "cloudflare.com", "azureedge.net", "fastly.net", "cdn.microsoft.com"]);
let URLShorteners = dynamic(["bit.ly", "tinyurl.com", "t.co", "ow.ly", "short.io", "rebrand.ly", "cutt.ly", "is.gd", "buff.ly"]);
// Branch 1: Typosquatted CDN/cloud domain DNS queries from suspicious processes
let Branch1 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| extend DomainLower = tolower(RemoteUrl)
| where (
    DomainLower matches regex @"(amaz0n|m1crosoft|g00gle|g0ogle|akama1|cloudfl4re|cdnn\.|c1oudfront|fastIy|micros0ft|arnazon)" or
    (DomainLower has_any ("akamai", "cloudfront", "amazonaws", "fastly", "azureedge") and not(DomainLower has_any (LegitCDNSuffixes)))
  )
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend DetectionBranch = "TyposquattedCDN"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, DetectionBranch;
// Branch 2: Suspicious process connecting through URL shortener/redirect service
let Branch2 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| where RemoteUrl has_any (URLShorteners)
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend DetectionBranch = "URLShortenerC2"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, DetectionBranch;
// Branch 3: High-frequency beaconing to same IP from scripting engine (interval-based C2 pattern)
let Branch3 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| where RemoteIPType == "Public"
| summarize ConnectionCount = count(), DistinctPorts = dcount(RemotePort), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleUrl = any(RemoteUrl) by DeviceName, RemoteIP, InitiatingProcessFileName
| where ConnectionCount >= 20 and DistinctPorts <= 2
| extend BeaconDuration = datetime_diff('minute', LastSeen, FirstSeen)
| where BeaconDuration > 30
| extend DetectionBranch = "BeaconingPattern"
| project FirstSeen, DeviceName, InitiatingProcessFileName, RemoteIP, SampleUrl, ConnectionCount, BeaconDuration, DetectionBranch;
union Branch1, Branch2, Branch3
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based
Security scanning tools or red team infrastructure that intentionally mimic CDN domains for authorized testing
High-frequency health checks from monitoring agents to a fixed endpoint that produce beaconing-like patterns

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval domain=lower(QueryName)
| eval is_typosquat=if(match(domain, "(amaz0n|m1crosoft|g00gle|g0ogle|akama1|cloudfl4re|c1oudfront|fastly\\.\\w{3,6}\\.com|arnazon)"), 1, 0)
| eval looks_like_cdn=if(match(domain, "(akamai|cloudfront|amazonaws|fastly|azureedge|cloudflare)") AND NOT match(domain, "(\\.akamaized\\.net|\\.akamai\\.net|\\.cloudfront\\.net|\\.amazonaws\\.com|\\.cloudflare\\.com|\\.azureedge\\.net|\\.fastly\\.net)"), 1, 0)
| eval is_url_shortener=if(match(domain, "(bit\\.ly|tinyurl\\.com|t\\.co|ow\\.ly|short\\.io|rebrand\\.ly|cutt\\.ly|is\\.gd|buff\\.ly)"), 1, 0)
| eval suspicious_proc=if(match(lower(Image), "(powershell|cmd\\.exe|wscript|cscript|mshta|regsvr32|rundll32|bitsadmin|certutil|curl\\.exe|wget\\.exe)"), 1, 0)
| where (is_typosquat=1) OR (looks_like_cdn=1 AND suspicious_proc=1) OR (is_url_shortener=1 AND suspicious_proc=1)
| eval risk_score=case(is_typosquat=1 AND suspicious_proc=1, 95, is_typosquat=1, 75, is_url_shortener=1 AND suspicious_proc=1, 70, looks_like_cdn=1 AND suspicious_proc=1, 65, true(), 40)
| eval detection_type=case(is_typosquat=1, "TyposquattedCDNDomain", is_url_shortener=1, "URLShortenerC2", looks_like_cdn=1, "CDNMasquerading", true(), "Unknown")
| stats count as query_count, max(risk_score) as max_risk, values(QueryName) as queried_domains, values(Image) as processes, values(detection_type) as alert_types, min(_time) as first_seen, max(_time) as last_seen by ComputerName, User
| where query_count >= 1 AND max_risk >= 65
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk
| table ComputerName, User, processes, queried_domains, alert_types, query_count, max_risk, first_seen, last_seen

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate PowerShell scripts that programmatically resolve CDN hostnames for health checks or deployment validation
Browser automation or testing frameworks running under cmd.exe or scripting hosts that access URL shorteners for link testing
Security awareness training platforms that use URL shorteners to track click-through rates in phishing simulations
Developer toolchains that use URL shorteners in documentation or configuration files fetched during build processes
Managed antivirus or EDR agents that query cloud provider domains with non-standard hostname patterns for updates

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1665*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

Google Chronicle / SecOps

yaral

rule detection_t1665 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Hide Infrastructure - T1665"
    severity = "HIGH"
    mitre_attack = "T1665"
    reference = "https://attack.mitre.org/techniques/T1665/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based

Hide Infrastructure

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Command and Control

Popular Detections