title: Hide Infrastructure (T1665)
id: df00tech-t1665
status: experimental
description: "This detection identifies adversary attempts to conceal command and control infrastructure through domain masquerading, traffic filtering, and proxy chaining. Specific patterns include processes making DNS queries to domains that impersonate legitimate CDN or cloud providers (typosquatting or lookalike domains), unusual processes initiating connections through multi-hop proxy chains, beaconing to URL shorteners or marketing redirect services, and network connections where resolved IPs do not match the expected ASN for the queried domain. The detection targets techniques used by groups such as APT29 (residential proxy routing), Salt Typhoon (JumbledPath hop chains), and DarkGate (CDN masquerading) to extend the operational lifetime of C2 infrastructure by evading automated takedown and sandbox analysis."
references:
  - https://attack.mitre.org/techniques/T1665/
  - https://df00tech.com/detections/T1665
author: df00tech
date: 2026/03/20
tags:
  - attack.t1665
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software updaters or telemetry agents that use CDN-like domain naming conventions for load distribution
  - "IT automation scripts (Ansible, Chef, Puppet) that download packages from CDN mirrors with non-standard naming"
  - "URL shorteners used legitimately by collaboration tools (Slack, Teams bot integrations) where the bot process may be PowerShell-based"
  - Security scanning tools or red team infrastructure that intentionally mimic CDN domains for authorized testing
  - High-frequency health checks from monitoring agents to a fixed endpoint that produce beaconing-like patterns
level: high