T1584.003 Virtual Private Server
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.1
Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.
| Item | Value |
|---|---|
| ID | T1584.003 |
| Sub-techniques | T1584.001, T1584.002, T1584.003, T1584.004, T1584.005, T1584.006, T1584.007 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.1 |
| Created | 01 October 2020 |
| Last Modified | 17 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0010 | Turla | Turla has used the VPS infrastructure of compromised Iranian threat actors.1 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0035 | Internet Scan | Response Content |
References
-
NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. ↩↩
-
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. ↩
-
Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. ↩
-
Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. ↩