Establish & Maintain Infrastructure

Establishing and maintaining infrastructure consists of building, purchasing, co-opting, and maintaining systems and services used to conduct cyber operations. An adversary will need to establish infrastructure used to communicate with and control assets used throughout the course of their operations.
ID: TA0022


Techniques: 16
T1329Acquire and/or use 3rd party infrastructure services

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.

T1330Acquire and/or use 3rd party software services

A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.

T1332Acquire or compromise 3rd party signing certificates

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.

T1328Buy domain name

Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

T1334Compromise 3rd party infrastructure to support delivery

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle.

T1339Create backup infrastructure

Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable.

T1326Domain registration hijacking

Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant.

T1333Dynamic DNS

Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs.

T1336Install and configure hardware, network, and systems

An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure.

T1331Obfuscate infrastructure

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.

T1396Obtain booter/stressor subscription

Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks.

T1335Procure required equipment and software

An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.

T1340Shadow DNS

The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.

T1337SSL certificate acquisition for domain

Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of Wachovia -- homoglyphs).

T1338SSL certificate acquisition for trust breaking

Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks.

T1327Use multiple DNS infrastructures

A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records.