Compromise 3rd party infrastructure to support delivery

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. [1] [2]

ID: T1334

Tactic: Establish & Maintain Infrastructure

Version: 1.0

Similar Techniques by Tactic

Adversary OpsecCompromise 3rd party infrastructure to support delivery



APT1 comrpomised a vast set of 3rd party victim hop points as part of their network infrastructure.[3]


APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.[4]


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Defender will not have visibility on 3rd party sites unless target is successfully enticed to visit one.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Commonly used technique currently (e.g., [ WordPress] sites) as precursor activity to launching attack against intended target (e.g., acquiring botnet or layers of proxies for reducing attribution possibilities).


  1. Pierluigi Paganini. (2014, February 15). FireEye discovered a new watering hole attack based on 0-day exploit. Retrieved March 1, 2017.
  2. Darien Kindlund, Xiaobo Chen, Mike Scott, Ned Moran, Dan Caselden. (2014, February 13). Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website. Retrieved March 28, 2017.