T1584.004
Compromise Infrastructure:
Server

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a Server or Virtual Private Server, adversaries may compromise third-party servers in support of operations.

攻撃者は、攻撃中に使用することができる第三者のサーバーを侵害することがあります。攻撃者は、サーバを使用することで、作戦の準備、開始、実行を行うことができます。侵害後の活動において、攻撃者は、コマンド・アンド・コントロールを含む様々なタスクのためにサーバを利用することができます。攻撃者は、サーバーや仮想プライベート・サーバーを購入する代わりに、作戦をサポートするためにサード・パーティーのサーバーを侵害することもあります。

Adversaries may also compromise web servers to support watering hole operations, as in Drive-by Compromise.

攻撃者は、「Drive-by Compromise」のように、水飲み場攻撃をサポートするためにウェブサーバーを侵害することもあります。

ID: T1584.004
Sub-technique of:  T1584
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 17 October 2021

Procedure Examples

ID Name Description
G0023 APT16

APT16 has compromised otherwise legitimate sites as staging servers for second-stage payloads.[1]

G0035 Dragonfly

Dragonfly has compromised legitimate websites to host C2 and malware modules.[2]

G1006 Earth Lusca

Earth Lusca has used compromised web servers as part of their operational infrastructure.[3]

G0119 Indrik Spider

Indrik Spider has served fake updates via legitimate websites that have been compromised.[4]

G0032 Lazarus Group

Lazarus Group has compromised servers to stage malicious tools.[5][6][7][8]

C0002 Night Dragon

During Night Dragon, threat actors compromised web servers to use for C2.[9]

C0013 Operation Sharpshooter

For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign's infrastructure.[10]

G0010 Turla

Turla has used compromised servers as infrastructure.[11][12][13]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries have provisioned software on a compromised server (ex: for use as a command and control server), internet scans may reveal servers that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[14][15][16]

    Response Metadata

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References