Acquire Infrastructure: Server
Other sub-techniques of Acquire Infrastructure (6)
| ID | Name |
|---|---|
| T1583.001 | Domains |
| T1583.002 | DNS Server |
| T1583.003 | Virtual Private Server |
| T1583.004 | Server |
| T1583.005 | Botnet |
| T1583.006 | Web Services |
Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.
Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.[1]
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0093 | GALLIUM |
GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[2] |
| G0034 | Sandworm Team |
Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.[3] |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.