Acquire Infrastructure: Server

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.[1]

ID: T1583.004
Sub-technique of:  T1583
Platforms: PRE
Contributors: Dor Edry, Microsoft
Version: 1.2
Created: 01 October 2020
Last Modified: 12 April 2023

Procedure Examples

ID Name Description
G1006 Earth Lusca

Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.[2]


GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[3]

G0094 Kimsuky

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.[4]

C0002 Night Dragon

During Night Dragon, threat actors purchased hosted services to use for C2.[5]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.[6]

C0006 Operation Honeybee

For Operation Honeybee, at least one identified persona was used to register for a free account for a control server.[7]

C0014 Operation Wocao

For Operation Wocao, the threat actors purchased servers with Bitcoin to use during the operation.[8]

G0034 Sandworm Team

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.[9]


ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.


ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[10][11][12]

Response Metadata

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.