T1583.003 Virtual Private Server
Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.
Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.1
| Item | Value |
|---|---|
| ID | T1583.003 |
| Sub-techniques | T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.1 |
| Created | 01 October 2020 |
| Last Modified | 17 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0001 | Axiom | Axiom has used VPS hosting providers in targeting of intended victims.8 |
| G0035 | Dragonfly | Dragonfly has acquired VPS infrastructure for use in malicious campaigns.6 |
| G0125 | HAFNIUM | HAFNIUM has operated from leased virtual private servers (VPS) in the United States.5 |
| G0088 | TEMP.Veles | TEMP.Veles has used Virtual Private Server (VPS) infrastructure.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0035 | Internet Scan | Response Content |
References
-
Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017. ↩
-
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. ↩
-
Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. ↩
-
Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. ↩
-
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. ↩
-
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. ↩
-
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. ↩
-
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. ↩