Acquire and/or use 3rd party infrastructure services

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. [1]

ID: T1307
Sub-techniques:  No sub-techniques
Tactic: Adversary Opsec
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Similar Techniques by Tactic

Tactic Technique
Establish & Maintain Infrastructure Acquire and/or use 3rd party infrastructure services

Procedure Examples

Name Description
Night Dragon

Night Dragon used servers in China, the U.S., and the Netherlands in an attempt to hide their operations.[2]


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: 3rd party services highly leveraged by legitimate services, hard to distinguish from background noise. While an adversary can use their own infrastructure, most know this is a sure- re way to get caught. To add degrees of separation, they can buy or rent from another adversary or accomplice.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Wide range of 3rd party services for hosting, rotating, or moving C2, static data, exploits, exfiltration, etc.


  1. Forward-Looking Threat Research Team. (2012). LUCKYCAT REDUX: Inside an APT Campaign with Multiple Targets in India and Japan. Retrieved March 1, 2017.