title: Compromise Infrastructure (T1584)
id: df00tech-t1584
status: experimental
description: "This detection identifies indicators that adversaries may be leveraging compromised third-party infrastructure — including domains, servers, DNS services, or web services — to conduct operations against the organization. Because T1584 is a PRE-ATT&CK technique focused on adversary preparation, direct detection is not possible at the moment of compromise; instead, this detection identifies downstream indicators: network connections to infrastructure with characteristics consistent with hijacked or recently compromised assets (domains with mismatched registrar history, IPs flagged in threat intelligence, DNS resolutions to newly re-pointed hostnames, and C2 beaconing patterns associated with known compromised-infrastructure campaigns). Alerts from this detection warrant investigation into whether the communicating endpoint has been targeted via phishing, drive-by compromise, or C2 channels routed through legitimate third-party infrastructure."
references:
  - https://attack.mitre.org/techniques/T1584/
  - https://df00tech.com/detections/T1584
author: df00tech
date: 2026/04/13
tags:
  - attack.t1584
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software update services or telemetry agents making frequent connections to cloud infrastructure on shared hosting providers
  - VPN or proxy clients using dynamic DNS hostnames for legitimate enterprise connectivity
  - "IT monitoring and RMM tools (e.g., ConnectWise, Kaseya) that beacon regularly to SaaS infrastructure hosted on major cloud ASNs"
  - CDN-backed services with high IP rotation that may appear as fast-flux to endpoint telemetry
  - "Developers running local tunneling tools (ngrok, localtunnel) that resolve to dynamic DNS entries"
level: high