|T1584.003||Virtual Private Server|
Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.
Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations.
APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.
Dragonfly has compromised legitimate websites to host C2 and malware modules.
Earth Lusca has used compromised web servers as part of their operational infrastructure.
Indrik Spider has served fake updates via legitimate websites that have been compromised.
Lazarus Group has compromised servers to stage malicious tools.
During Night Dragon, threat actors compromised web servers to use for C2.
|C0022||Operation Dream Job||
For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.
For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign's infrastructure.
Turla has used compromised servers as infrastructure.
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
|ID||Data Source||Data Component||Detects|
|DS0035||Internet Scan||Response Content||
Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.