Skip to content

DET0411 Detection Strategy for Hide Infrastructure

Item Value
ID DET0411
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1665 (Hide Infrastructure)

Analytics

Windows

AN1148

Monitor DNS queries, proxy logs, and user-agent strings for anomalous patterns associated with adversary attempts to hide infrastructure. Defenders may observe DNS resolutions to short-lived domains, abnormal WHOIS registration data, or filtering of known defensive/responder IP addresses.

Log Sources
Data Component Name Channel
Network Connection Creation (DC0082) WinEventLog:Security EventCode=5156, 5157
Domain Registration (DC0101) dns:query Excessive lookups for domains with suspicious WHOIS or short TTL values
Mutable Elements
Field Description
SuspiciousDomains List of domains registered with privacy-protected or suspicious WHOIS metadata.
ResponderIPs Known incident response or scanning infrastructure IP ranges.

Linux

AN1149

Detect adversaries filtering traffic or modifying server responses to evade scanning. Monitor iptables, nftables, or proxy configurations that deny or redirect requests from known scanning agents or defensive tools.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve: Execution of commands modifying iptables/nftables to block selective IPs
Response Metadata (DC0106) NSM:Flow Altered response metadata or blocked content based on user-agent or geolocation
Mutable Elements
Field Description
BlockedAgents User-agent strings or scanning tools to monitor for selective filtering.

macOS

AN1150

Monitor unified logs for manipulation of proxy configurations, DNS resolution, or filtering rules. Adversaries may redirect responses or use trusted domains that later resolve to malicious C2 infrastructure.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog System process modifications altering DNS/proxy settings
Response Content (DC0104) NSM:Flow Suspicious changes in TLS certificate responses or redirected domains
Mutable Elements
Field Description
TrustedHostingProviders Known hosting/CDN providers often abused to hide malicious C2 infrastructure.

Network Devices

AN1151

Inspect network telemetry for adversary attempts to blend malicious traffic with legitimate flows using VPNs, proxies, or geolocation spoofing. Defensive teams may observe anomalous tunnels, encrypted sessions to suspicious domains, or geo-mismatched IP activity.

Log Sources
Data Component Name Channel
Network Traffic Content (DC0085) NSM:Flow Encrypted tunnels or proxy traffic to non-standard destinations
Mutable Elements
Field Description
GeoIPRanges Regions to monitor for unexpected or mismatched geolocation activity.

ESXi

AN1152

Monitor VM-level DNS and network traffic logs for adversary-controlled domains or selective response behavior (e.g., dropped requests from security scanners).

Log Sources
Data Component Name Channel
Domain Registration (DC0101) esxi:vmkernel DNS lookups resolving to domains with rapid changes in registration metadata
Network Traffic Content (DC0085) esxi:vmkernel Suspicious traffic filtered or redirected by VM networking stack
Mutable Elements
Field Description
MonitoredVMs Targeted virtual machines where adversaries may attempt to hide C2 traffic.