T1583
Acquire Infrastructure
攻撃インフラの獲得

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[1] Additionally, botnets are available for rent or purchase.

 攻撃者は、攻撃時に使用するインフラを購入、リース、またはレンタルすることがあります。攻撃者の作戦を支援し、遂行するために、さまざまなインフラが存在します。インフラ・ソリューションには、物理サーバ、クラウドサーバ、ドメイン、サードパーティのウェブサービスなどがあります。さらに、ボットネットはレンタルや購入して利用することができます。 

Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

このようなインフラを使用することで、攻撃者は作戦の準備、開始、実行を行うことができます。また、サードパーティのウェブサービスへのアクセスなど、攻撃者の作戦を通常のトラフィックに紛れ込ませることも可能です。攻撃者は、物理的な追跡が困難なインフラを利用することもあれば、迅速にプロビジョニング、変更、シャットダウンが可能なインフラを利用することもあります。

ID: T1583
Platforms: PRE
Version: 1.1
Created: 30 September 2020
Last Modified: 17 October 2021

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0038 Domain Name Active DNS

Monitor for queried domain name system (DNS) registry data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

    Domain Registration

Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

    Passive DNS

Monitor for logged domain name system (DNS) data that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

DS0035 Internet Scan Response Content

Once adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[2][3][4] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

    Response Metadata

Monitor for contextual data about an Internet-facing resource gathered from a scan, such as running services or ports that may buy, lease, or rent infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References