Skip to content

T1584.004 Server

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise, or email servers to support Phishing operations.

Item Value
ID T1584.004
Sub-techniques T1584.001, T1584.002, T1584.003, T1584.004, T1584.005, T1584.006, T1584.007
Tactics TA0042
Platforms PRE
Version 1.2
Created 01 October 2020
Last Modified 13 April 2023

Procedure Examples

ID Name Description
G0023 APT16 APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.8
G0035 Dragonfly Dragonfly has compromised legitimate websites to host C2 and malware modules.9
G1006 Earth Lusca Earth Lusca has used compromised web servers as part of their operational infrastructure.10
G0119 Indrik Spider Indrik Spider has served fake updates via legitimate websites that have been compromised.11
G0032 Lazarus Group Lazarus Group has compromised servers to stage malicious tools.4
C0002 Night Dragon During Night Dragon, threat actors compromised web servers to use for C2.16
C0022 Operation Dream Job For Operation Dream Job, Lazarus Group compromised servers to host their malicious tools.151314
C0013 Operation Sharpshooter For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign’s infrastructure.12
G0010 Turla Turla has used compromised servers as infrastructure.567

Mitigations

ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component
DS0035 Internet Scan Response Content

References

  1. Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021. 

  2. Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021. 

  3. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. 

  4. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. 

  5. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020. 

  6. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. 

  7. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. 

  8. Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016. 

  9. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. 

  10. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  11. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. 

  12. I. Ilascu. (2019, March 3). Op ‘Sharpshooter’ Connected to North Korea’s Lazarus Group. Retrieved September 26, 2022. 

  13. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  14. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. 

  15. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  16. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.