Skip to content

T1583.003 Virtual Private Server

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.1

Item Value
ID T1583.003
Sub-techniques T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006, T1583.007, T1583.008
Tactics TA0042
Platforms PRE
Version 1.1
Created 01 October 2020
Last Modified 17 October 2021

Procedure Examples

ID Name Description
G0001 Axiom Axiom has used VPS hosting providers in targeting of intended victims.6
G0035 Dragonfly Dragonfly has acquired VPS infrastructure for use in malicious campaigns.8
G0125 HAFNIUM HAFNIUM has operated from leased virtual private servers (VPS) in the United States.5
G1004 LAPSUS$ LAPSUS$ has used VPS hosting providers for infrastructure.9
G0088 TEMP.Veles TEMP.Veles has used Virtual Private Server (VPS) infrastructure.7

Mitigations

ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component
DS0035 Internet Scan Response Content

References