Establish & Maintain Infrastructure

Establishing and maintaining infrastructure consists of building, purchasing, co-opting, and maintaining systems and services used to conduct cyber operations. An adversary will need to establish infrastructure used to communicate with and control assets used throughout the course of their operations.

ID: TA0022
Created: 17 October 2018
Last Modified: 17 October 2018


Techniques: 16
ID Name Description
T1329 Acquire and/or use 3rd party infrastructure services A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
T1330 Acquire and/or use 3rd party software services A wide variety of 3rd party software services are available (e.g., Twitter, Dropbox, GoogleDocs). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down.
T1332 Acquire or compromise 3rd party signing certificates Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don't know who issued the certificate or who the author is.
T1328 Buy domain name Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.
T1334 Compromise 3rd party infrastructure to support delivery Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle.
T1339 Create backup infrastructure Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable.
T1326 Domain registration hijacking Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant.
T1333 Dynamic DNS Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs.
T1336 Install and configure hardware, network, and systems An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure.
T1331 Obfuscate infrastructure Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc.
T1396 Obtain booter/stressor subscription Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks.
T1335 Procure required equipment and software An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.
T1340 Shadow DNS The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner.
T1337 SSL certificate acquisition for domain Certificates are designed to instill trust. They include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of Wachovia -- homoglyphs).
T1338 SSL certificate acquisition for trust breaking Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks.
T1327 Use multiple DNS infrastructures A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records.