title: Acquire Infrastructure (T1583)
id: df00tech-t1583
status: experimental
description: "This detection identifies indicators that adversaries have acquired or are leveraging external infrastructure for attack operations — including virtual private servers, bulletproof hosting providers, anonymizing VPN services, and residential proxy networks. Because T1583 is a PRE-ATT&CK technique occurring outside direct victim visibility, detection focuses on observable artifacts within the target environment: authentication events originating from known hosting ASNs and VPN exit nodes, DNS resolution of anonymization service domains, and network connection patterns consistent with adversary use of acquired proxy or VPN infrastructure. High-confidence signals include privileged account sign-ins from hosting provider IP ranges (M247, Hetzner, OVH, DigitalOcean), automated tooling user-agents accessing organizational resources from VPS IPs, and connections to infrastructure linked to threat actor campaigns such as Kimsuky, Sea Turtle, and Agrius."
references:
  - https://attack.mitre.org/techniques/T1583/
  - https://df00tech.com/detections/T1583
author: df00tech
date: 2026/04/13
tags:
  - attack.t1583
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: azure
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Employees legitimately connecting via corporate-approved VPN services that share ASNs with commercial hosting providers
  - "Remote developers or contractors using DigitalOcean, Hetzner, or OVH hosted jump boxes for legitimate administrative access"
  - Automated service accounts or CI/CD pipelines running in cloud-hosted environments that authenticate to organizational APIs
  - Security researchers or penetration testers operating from known hosting providers during authorized engagements
  - Employees traveling internationally who use commercial VPN services that route through hosting provider IP ranges
level: high