Compromise Infrastructure: Server
Other sub-techniques of Compromise Infrastructure (6)
ID | Name |
---|---|
T1584.001 | Domains |
T1584.002 | DNS Server |
T1584.003 | Virtual Private Server |
T1584.004 | Server |
T1584.005 | Botnet |
T1584.006 | Web Services |
Before compromising a victim, adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.
Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise.
Procedure Examples
Name | Description |
---|---|
APT16 |
APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.[1] |
Turla |
Mitigations
Mitigation | Description |
---|---|
Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.