1. Home
  2. Techniques
  3. Enterprise
  4. Acquire Infrastructure
  5. Server

Acquire Infrastructure: Server

ID Name
T1583.001 Domains
T1583.002 DNS Server
T1583.003 Virtual Private Server
T1583.004 Server
T1583.005 Botnet
T1583.006 Web Services

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.[1]

ID: T1583.004
Sub-technique of:  T1583
Tactic: Resource Development
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 17 October 2021

Procedure Examples

ID Name Description
G0093 GALLIUM

GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.[2]
G0141 Gelsemium

Gelsemium has established infrastructure through renting servers at multiple providers worldwide.[3]
G0094 Kimsuky

Kimsuky has purchased hosting servers with virtual currency and prepaid cards.[4]
G0032 Lazarus Group

Lazarus Group has acquired servers to host their malicious tools.[5]
G0034 Sandworm Team

Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.[6]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component
DS0035 Internet Scan Response Content
Response Metadata

Once adversaries have provisioned a server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[7][8][9]

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References

  1. William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.
  2. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  3. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  4. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  5. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  1. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  2. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
  3. Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.
  4. Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.