Establish & Maintain Infrastructure
Establishing and maintaining infrastructure consists of building, purchasing, co-opting, and maintaining systems and services used to conduct cyber operations. An adversary will need to establish infrastructure used to communicate with and control assets used throughout the course of their operations.
|T1329||Acquire and/or use 3rd party infrastructure services||
A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
|T1330||Acquire and/or use 3rd party software services||
A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
|T1332||Acquire or compromise 3rd party signing certificates||
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
|T1328||Buy domain name||
Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
|T1334||Compromise 3rd party infrastructure to support delivery||
Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle.
|T1339||Create backup infrastructure||
Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable.
|T1326||Domain registration hijacking||
Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant.
Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs.
|T1336||Install and configure hardware, network, and systems||
An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure.
Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.
|T1396||Obtain booter/stressor subscription||
Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks.
|T1335||Procure required equipment and software||
An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.
The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.
|T1337||SSL certificate acquisition for domain||
Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of Wachovia -- homoglyphs).
|T1338||SSL certificate acquisition for trust breaking||
Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks.
|T1327||Use multiple DNS infrastructures||
A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records.