Detect Hide Infrastructure in Elastic Security
This detection identifies adversary attempts to conceal command and control infrastructure through domain masquerading, traffic filtering, and proxy chaining. Specific patterns include processes making DNS queries to domains that impersonate legitimate CDN or cloud providers (typosquatting or lookalike domains), unusual processes initiating connections through multi-hop proxy chains, beaconing to URL shorteners or marketing redirect services, and network connections where resolved IPs do not match the expected ASN for the queried domain. The detection targets techniques used by groups such as APT29 (residential proxy routing), Salt Typhoon (JumbledPath hop chains), and DarkGate (CDN masquerading) to extend the operational lifetime of C2 infrastructure by evading automated takedown and sandbox analysis.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1665 Hide Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1665/
Elastic Detection Query
process where event.type == "start" and (
process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
process.command_line : ("*t1665*", "*suspicious*") or
process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == trueElastic EQL detection for Hide Infrastructure (T1665). Identifies hide infrastructure activity by correlating endpoint telemetry patterns consistent with known adversary techniques.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
- IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
- URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based
Other platforms for T1665
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CDN Masquerading DNS Query from PowerShell
Expected signal: Sysmon Event ID 22 (DNS query) for each domain queried, with Image pointing to powershell.exe and the QueryName field containing each CDN-lookalike domain. Also generates Sysmon Event ID 1 for the PowerShell process creation.
- Test 2URL Shortener C2 Redirect Simulation
Expected signal: Sysmon Event ID 1 for cmd.exe spawning powershell.exe (suspicious process chain), Sysmon Event ID 22 for DNS queries to bit.ly and tinyurl.com, Sysmon Event ID 3 for outbound TCP connections to those domains on port 443.
- Test 3SOCKS Proxy Tunnel Creation via SSH Dynamic Forwarding
Expected signal: Sysmon Event ID 1 for ssh.exe with CommandLine containing '-D 1080' dynamic forwarding argument. Sysmon Event ID 3 for attempted TCP connection to localhost:2222. Security Event ID 4688 if process creation auditing is enabled.
- Test 4High-Frequency Beacon Simulation from Scripting Engine
Expected signal: 25 Sysmon Event ID 3 entries for outbound TCP connections from powershell.exe to the same destination IP on port 443, with consistent 2-second intervals visible in event timestamps. Sysmon Event ID 1 for powershell.exe process creation.
References (6)
- https://attack.mitre.org/techniques/T1665/
- https://www.cisco.com/c/en/us/td/docs/security/talos/salt-typhoon/salt-typhoon-cisco-network-infrastructure.html
- https://www.microsoft.com/en-us/security/blog/2024/12/04/star-blizzard-changes-tactics-to-evade-detection/
- https://blog.talosintelligence.com/darkgate-malware-campaign/
- https://sysdig.com/blog/threat-actor-evading-detection/
- https://www.ncsc.gov.uk/files/Advisory-APT29-targeting-of-cloud-services-and-residential-proxies.pdf
Unlock Pro Content
Get the full detection package for T1665 including response playbook, investigation guide, and atomic red team tests.