1. Home
  2. Techniques
  3. Enterprise
  4. Compromise Infrastructure
  5. Server

Compromise Infrastructure: Server

ID Name
T1584.001 Domains
T1584.002 DNS Server
T1584.003 Virtual Private Server
T1584.004 Server
T1584.005 Botnet
T1584.006 Web Services
T1584.007 Serverless
T1584.008 Network Devices

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.[1] Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations.

ID: T1584.004
Sub-technique of:  T1584
Tactic: Resource Development
Platforms: PRE
Contributors: Dor Edry, Microsoft
Version: 1.2
Created: 01 October 2020
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
G0023 APT16

APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.[2]
G1034 Daggerfly

Daggerfly compromised web servers hosting updates for software as part of a supply chain intrusion.[3]
G0035 Dragonfly

Dragonfly has compromised legitimate websites to host C2 and malware modules.[4]
G1006 Earth Lusca

Earth Lusca has used compromised web servers as part of their operational infrastructure.[1]
G0119 Indrik Spider

Indrik Spider has served fake updates via legitimate websites that have been compromised.[5]

C0044 Juicy Mix

During Juicy Mix, OilRig compromised an Israeli job portal to use for a C2 server.[6]
G0032 Lazarus Group

Lazarus Group has compromised servers to stage malicious tools.[7]
G0065 Leviathan

Leviathan has used compromised legitimate websites as command and control nodes for operations.[8]
C0002 Night Dragon

During Night Dragon, threat actors compromised web servers to use for C2.[9]
C0022 Operation Dream Job

For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.[10][11][12]
C0013 Operation Sharpshooter

For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign's infrastructure.[13]
C0042 Outer Space

During Outer Space, OilRig compromised an Israeli human resources site to use as a C2 server.[6]
G0034 Sandworm Team

Sandworm Team compromised legitimate Linux servers running the EXIM mail transfer agent for use in subsequent campaigns.[14][15]
G0010 Turla

Turla has used compromised servers as infrastructure.[16][17][18]
G1017 Volt Typhoon

Volt Typhoon has used compromised Paessler Router Traffic Grapher (PRTG) servers from other organizations for C2.[19][20]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[21][22][23]
Response Metadata

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References

  1. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  2. Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  3. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  4. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  5. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  6. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  7. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  8. CISA et al. (2024, July 8). People’s Republic of China (PRC) Ministry of State Security APT40 Tradecraft in Action. Retrieved February 3, 2025.
  9. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  10. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  11. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  12. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  1. I. Ilascu. (2019, March 3). Op 'Sharpshooter' Connected to North Korea's Lazarus Group. Retrieved September 26, 2022.
  2. National Security Agency. (2020, March 28). Sandworm Actors Exploiting Vulnerability In EXIM Mail Transfer Agent. Retrieved March 1, 2024.
  3. Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.
  4. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
  5. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  6. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  7. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  8. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  9. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
  10. Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
  11. Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.