T1584.004 Server
Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.
Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations.
Item | Value |
---|---|
ID | T1584.004 |
Sub-techniques | T1584.001, T1584.002, T1584.003, T1584.004, T1584.005, T1584.006, T1584.007 |
Tactics | TA0042 |
Platforms | PRE |
Version | 1.2 |
Created | 01 October 2020 |
Last Modified | 13 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0023 | APT16 | APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.8 |
G0035 | Dragonfly | Dragonfly has compromised legitimate websites to host C2 and malware modules.9 |
G1006 | Earth Lusca | Earth Lusca has used compromised web servers as part of their operational infrastructure.10 |
G0119 | Indrik Spider | Indrik Spider has served fake updates via legitimate websites that have been compromised.11 |
G0032 | Lazarus Group | Lazarus Group has compromised servers to stage malicious tools.4 |
C0002 | Night Dragon | During Night Dragon, threat actors compromised web servers to use for C2.16 |
C0022 | Operation Dream Job | For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.151314 |
C0013 | Operation Sharpshooter | For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign’s infrastructure.12 |
G0010 | Turla | Turla has used compromised servers as infrastructure.567 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0035 | Internet Scan | Response Content |
References
-
Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. ↩
-
Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. ↩
-
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. ↩
-
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. ↩
-
Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020. ↩
-
Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. ↩
-
Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. ↩
-
Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. ↩
-
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. ↩
-
I. Ilascu. (2019, March 3). Op ‘Sharpshooter’ Connected to North Korea’s Lazarus Group. Retrieved September 26, 2022. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. ↩
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩