T1583.004 Server
Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations.
Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.4
Item | Value |
---|---|
ID | T1583.004 |
Sub-techniques | T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006, T1583.007, T1583.008 |
Tactics | TA0042 |
Platforms | PRE |
Version | 1.2 |
Created | 01 October 2020 |
Last Modified | 12 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G1006 | Earth Lusca | Earth Lusca has acquired multiple servers for some of their operations, using each server for a different role.5 |
G0093 | GALLIUM | GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.7 |
G0094 | Kimsuky | Kimsuky has purchased hosting servers with virtual currency and prepaid cards.8 |
C0002 | Night Dragon | During Night Dragon, threat actors purchased hosted services to use for C2.9 |
C0022 | Operation Dream Job | During Operation Dream Job, Lazarus Group acquired servers to host their malicious tools.11 |
C0006 | Operation Honeybee | For Operation Honeybee, at least one identified persona was used to register for a free account for a control server.12 |
C0014 | Operation Wocao | For Operation Wocao, the threat actors purchased servers with Bitcoin to use during the operation.10 |
G0034 | Sandworm Team | Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.6 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0035 | Internet Scan | Response Content |
References
-
Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. ↩
-
Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. ↩
-
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. ↩
-
William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. ↩
-
MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. ↩
-
KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. ↩