Detect Hide Infrastructure in Microsoft Sentinel
This detection identifies adversary attempts to conceal command and control infrastructure through domain masquerading, traffic filtering, and proxy chaining. Specific patterns include processes making DNS queries to domains that impersonate legitimate CDN or cloud providers (typosquatting or lookalike domains), unusual processes initiating connections through multi-hop proxy chains, beaconing to URL shorteners or marketing redirect services, and network connections where resolved IPs do not match the expected ASN for the queried domain. The detection targets techniques used by groups such as APT29 (residential proxy routing), Salt Typhoon (JumbledPath hop chains), and DarkGate (CDN masquerading) to extend the operational lifetime of C2 infrastructure by evading automated takedown and sandbox analysis.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1665 Hide Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1665/
KQL Detection Query
let SuspiciousProcesses = dynamic(["powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "rundll32.exe", "bitsadmin.exe", "certutil.exe", "curl.exe", "wget.exe"]);
let LegitCDNSuffixes = dynamic(["akamaized.net", "akamai.net", "cloudfront.net", "amazonaws.com", "cloudflare.com", "azureedge.net", "fastly.net", "cdn.microsoft.com"]);
let URLShorteners = dynamic(["bit.ly", "tinyurl.com", "t.co", "ow.ly", "short.io", "rebrand.ly", "cutt.ly", "is.gd", "buff.ly"]);
// Branch 1: Typosquatted CDN/cloud domain DNS queries from suspicious processes
let Branch1 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| extend DomainLower = tolower(RemoteUrl)
| where (
DomainLower matches regex @"(amaz0n|m1crosoft|g00gle|g0ogle|akama1|cloudfl4re|cdnn\.|c1oudfront|fastIy|micros0ft|arnazon)" or
(DomainLower has_any ("akamai", "cloudfront", "amazonaws", "fastly", "azureedge") and not(DomainLower has_any (LegitCDNSuffixes)))
)
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend DetectionBranch = "TyposquattedCDN"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, DetectionBranch;
// Branch 2: Suspicious process connecting through URL shortener/redirect service
let Branch2 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where isnotempty(RemoteUrl)
| where RemoteUrl has_any (URLShorteners)
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| extend DetectionBranch = "URLShortenerC2"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, RemotePort, DetectionBranch;
// Branch 3: High-frequency beaconing to same IP from scripting engine (interval-based C2 pattern)
let Branch3 = DeviceNetworkEvents
| where TimeGenerated > ago(1d)
| where ActionType == "ConnectionSuccess"
| where InitiatingProcessFileName has_any (SuspiciousProcesses)
| where RemoteIPType == "Public"
| summarize ConnectionCount = count(), DistinctPorts = dcount(RemotePort), FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated), SampleUrl = any(RemoteUrl) by DeviceName, RemoteIP, InitiatingProcessFileName
| where ConnectionCount >= 20 and DistinctPorts <= 2
| extend BeaconDuration = datetime_diff('minute', LastSeen, FirstSeen)
| where BeaconDuration > 30
| extend DetectionBranch = "BeaconingPattern"
| project FirstSeen, DeviceName, InitiatingProcessFileName, RemoteIP, SampleUrl, ConnectionCount, BeaconDuration, DetectionBranch;
union Branch1, Branch2, Branch3
| sort by TimeGenerated descDetects three patterns of C2 infrastructure hiding: (1) connections to typosquatted or lookalike CDN/cloud domains initiated by suspicious scripting processes, (2) suspicious processes communicating through URL shortener redirect chains, and (3) high-frequency beaconing from scripting engines to a single public IP suggesting interval-based C2 check-in. Covers DarkGate CDN masquerading, APT29 residential proxy patterns, and generic staging redirector abuse.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
- IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
- URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based
- Security scanning tools or red team infrastructure that intentionally mimic CDN domains for authorized testing
- High-frequency health checks from monitoring agents to a fixed endpoint that produce beaconing-like patterns
Other platforms for T1665
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CDN Masquerading DNS Query from PowerShell
Expected signal: Sysmon Event ID 22 (DNS query) for each domain queried, with Image pointing to powershell.exe and the QueryName field containing each CDN-lookalike domain. Also generates Sysmon Event ID 1 for the PowerShell process creation.
- Test 2URL Shortener C2 Redirect Simulation
Expected signal: Sysmon Event ID 1 for cmd.exe spawning powershell.exe (suspicious process chain), Sysmon Event ID 22 for DNS queries to bit.ly and tinyurl.com, Sysmon Event ID 3 for outbound TCP connections to those domains on port 443.
- Test 3SOCKS Proxy Tunnel Creation via SSH Dynamic Forwarding
Expected signal: Sysmon Event ID 1 for ssh.exe with CommandLine containing '-D 1080' dynamic forwarding argument. Sysmon Event ID 3 for attempted TCP connection to localhost:2222. Security Event ID 4688 if process creation auditing is enabled.
- Test 4High-Frequency Beacon Simulation from Scripting Engine
Expected signal: 25 Sysmon Event ID 3 entries for outbound TCP connections from powershell.exe to the same destination IP on port 443, with consistent 2-second intervals visible in event timestamps. Sysmon Event ID 1 for powershell.exe process creation.
References (6)
- https://attack.mitre.org/techniques/T1665/
- https://www.cisco.com/c/en/us/td/docs/security/talos/salt-typhoon/salt-typhoon-cisco-network-infrastructure.html
- https://www.microsoft.com/en-us/security/blog/2024/12/04/star-blizzard-changes-tactics-to-evade-detection/
- https://blog.talosintelligence.com/darkgate-malware-campaign/
- https://sysdig.com/blog/threat-actor-evading-detection/
- https://www.ncsc.gov.uk/files/Advisory-APT29-targeting-of-cloud-services-and-residential-proxies.pdf
Unlock Pro Content
Get the full detection package for T1665 including response playbook, investigation guide, and atomic red team tests.