Detect Hide Infrastructure in Splunk
This detection identifies adversary attempts to conceal command and control infrastructure through domain masquerading, traffic filtering, and proxy chaining. Specific patterns include processes making DNS queries to domains that impersonate legitimate CDN or cloud providers (typosquatting or lookalike domains), unusual processes initiating connections through multi-hop proxy chains, beaconing to URL shorteners or marketing redirect services, and network connections where resolved IPs do not match the expected ASN for the queried domain. The detection targets techniques used by groups such as APT29 (residential proxy routing), Salt Typhoon (JumbledPath hop chains), and DarkGate (CDN masquerading) to extend the operational lifetime of C2 infrastructure by evading automated takedown and sandbox analysis.
MITRE ATT&CK
- Tactic
- Command and Control
- Technique
- T1665 Hide Infrastructure
- Canonical reference
- https://attack.mitre.org/techniques/T1665/
SPL Detection Query
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22
| eval domain=lower(QueryName)
| eval is_typosquat=if(match(domain, "(amaz0n|m1crosoft|g00gle|g0ogle|akama1|cloudfl4re|c1oudfront|fastly\\.\\w{3,6}\\.com|arnazon)"), 1, 0)
| eval looks_like_cdn=if(match(domain, "(akamai|cloudfront|amazonaws|fastly|azureedge|cloudflare)") AND NOT match(domain, "(\\.akamaized\\.net|\\.akamai\\.net|\\.cloudfront\\.net|\\.amazonaws\\.com|\\.cloudflare\\.com|\\.azureedge\\.net|\\.fastly\\.net)"), 1, 0)
| eval is_url_shortener=if(match(domain, "(bit\\.ly|tinyurl\\.com|t\\.co|ow\\.ly|short\\.io|rebrand\\.ly|cutt\\.ly|is\\.gd|buff\\.ly)"), 1, 0)
| eval suspicious_proc=if(match(lower(Image), "(powershell|cmd\\.exe|wscript|cscript|mshta|regsvr32|rundll32|bitsadmin|certutil|curl\\.exe|wget\\.exe)"), 1, 0)
| where (is_typosquat=1) OR (looks_like_cdn=1 AND suspicious_proc=1) OR (is_url_shortener=1 AND suspicious_proc=1)
| eval risk_score=case(is_typosquat=1 AND suspicious_proc=1, 95, is_typosquat=1, 75, is_url_shortener=1 AND suspicious_proc=1, 70, looks_like_cdn=1 AND suspicious_proc=1, 65, true(), 40)
| eval detection_type=case(is_typosquat=1, "TyposquattedCDNDomain", is_url_shortener=1, "URLShortenerC2", looks_like_cdn=1, "CDNMasquerading", true(), "Unknown")
| stats count as query_count, max(risk_score) as max_risk, values(QueryName) as queried_domains, values(Image) as processes, values(detection_type) as alert_types, min(_time) as first_seen, max(_time) as last_seen by ComputerName, User
| where query_count >= 1 AND max_risk >= 65
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
| sort -max_risk
| table ComputerName, User, processes, queried_domains, alert_types, query_count, max_risk, first_seen, last_seenUses Sysmon Event ID 22 (DNS query) to detect three C2 infrastructure hiding patterns: typosquatted CDN/cloud provider domains, legitimate CDN lookalike domains queried by suspicious scripting processes, and URL shortener domains queried by interpreter processes. Assigns risk scores and detection type labels to prioritize analyst triage.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate PowerShell scripts that programmatically resolve CDN hostnames for health checks or deployment validation
- Browser automation or testing frameworks running under cmd.exe or scripting hosts that access URL shorteners for link testing
- Security awareness training platforms that use URL shorteners to track click-through rates in phishing simulations
- Developer toolchains that use URL shorteners in documentation or configuration files fetched during build processes
- Managed antivirus or EDR agents that query cloud provider domains with non-standard hostname patterns for updates
Other platforms for T1665
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CDN Masquerading DNS Query from PowerShell
Expected signal: Sysmon Event ID 22 (DNS query) for each domain queried, with Image pointing to powershell.exe and the QueryName field containing each CDN-lookalike domain. Also generates Sysmon Event ID 1 for the PowerShell process creation.
- Test 2URL Shortener C2 Redirect Simulation
Expected signal: Sysmon Event ID 1 for cmd.exe spawning powershell.exe (suspicious process chain), Sysmon Event ID 22 for DNS queries to bit.ly and tinyurl.com, Sysmon Event ID 3 for outbound TCP connections to those domains on port 443.
- Test 3SOCKS Proxy Tunnel Creation via SSH Dynamic Forwarding
Expected signal: Sysmon Event ID 1 for ssh.exe with CommandLine containing '-D 1080' dynamic forwarding argument. Sysmon Event ID 3 for attempted TCP connection to localhost:2222. Security Event ID 4688 if process creation auditing is enabled.
- Test 4High-Frequency Beacon Simulation from Scripting Engine
Expected signal: 25 Sysmon Event ID 3 entries for outbound TCP connections from powershell.exe to the same destination IP on port 443, with consistent 2-second intervals visible in event timestamps. Sysmon Event ID 1 for powershell.exe process creation.
References (6)
- https://attack.mitre.org/techniques/T1665/
- https://www.cisco.com/c/en/us/td/docs/security/talos/salt-typhoon/salt-typhoon-cisco-network-infrastructure.html
- https://www.microsoft.com/en-us/security/blog/2024/12/04/star-blizzard-changes-tactics-to-evade-detection/
- https://blog.talosintelligence.com/darkgate-malware-campaign/
- https://sysdig.com/blog/threat-actor-evading-detection/
- https://www.ncsc.gov.uk/files/Advisory-APT29-targeting-of-cloud-services-and-residential-proxies.pdf
Unlock Pro Content
Get the full detection package for T1665 including response playbook, investigation guide, and atomic red team tests.