1. Home
  2. Techniques
  3. Enterprise
  4. Acquire Infrastructure
  5. Server

Acquire Infrastructure: Server

ID Name
T1583.001 Domains
T1583.002 DNS Server
T1583.003 Virtual Private Server
T1583.004 Server
T1583.005 Botnet
T1583.006 Web Services
T1583.007 Serverless
T1583.008 Malvertising

Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.[1][2]

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.[3]

ID: T1583.004
Sub-technique of:  T1583
Tactic: Resource Development
Platforms: PRE
Contributors: Dor Edry, Microsoft
Version: 1.3
Created: 01 October 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G1012 CURIUM

CURIUM has created dedicated servers for command and control and exfiltration purposes.[4]
G1006 Earth Lusca

Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.[5]
G0093 GALLIUM

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[6]
G0094 Kimsuky

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.[7]
G1020 Mustard Tempest

Mustard Tempest has acquired servers to host second-stage payloads that remain active for a period of either days, weeks, or months.[8]
C0002 Night Dragon

During Night Dragon, threat actors purchased hosted services to use for C2.[9]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.[10]
C0006 Operation Honeybee

For Operation Honeybee, at least one identified persona was used to register for a free account for a control server.[11]

C0014 Operation Wocao

For Operation Wocao, the threat actors purchased servers with Bitcoin to use during the operation.[12]
G0034 Sandworm Team

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.[13]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[14][15][16]
Response Metadata

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References

  1. Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.
  2. Clark, Michael. (2023, August 14). Google’s Vertex AI Platform Gets Freejacked. Retrieved February 28, 2024.
  3. William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.
  4. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  5. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  6. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  7. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  8. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  1. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  2. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  3. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  4. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  5. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  6. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
  7. Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
  8. Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.