Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[1] Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.[2] Additionally, botnets are available for rent or purchase.
Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support Proxy, including from residential proxy services.[3][4][5] Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.
| ID | Name | Description |
|---|---|---|
| G1030 | Agrius |
Agrius typically uses commercial VPN services for anonymizing last-hop traffic to victim networks, such as ProtonVPN.[6] |
| G1003 | Ember Bear |
Ember Bear uses services such as IVPN, SurfShark, and Tor to add anonymization to operations.[7] |
| G0119 | Indrik Spider |
Indrik Spider has purchased access to victim VPNs to facilitate access to victim environments.[8] |
| G0094 | Kimsuky |
Kimsuky has used funds from stolen and laundered cryptocurrency to acquire operational infrastructure.[9] |
| G0034 | Sandworm Team |
Sandworm Team used various third-party email campaign management services to deliver phishing emails.[10] |
| G1033 | Star Blizzard |
Star Blizzard has used HubSpot and MailerLite marketing platform services to hide the true sender of phishing emails.[11] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0038 | Domain Name | Active DNS |
Monitor for queried domain name system (DNS) registry data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
| Domain Registration |
Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
||
| Passive DNS |
Monitor for logged domain name system (DNS) data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
||
| DS0035 | Internet Scan | Response Content |
Once adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[12][13][14] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |
| Response Metadata |
Monitor for contextual data about an Internet-facing resource gathered from a scan, such as running services or ports that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. |