T1583.004SubTechniqueresource-developmentagent-callable

T1583.004Server

Sub-technique of T1583

Platforms: PRE

ATT&CK version: 14.1

What it is

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Adversaries may use web servers to support support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)

ATT&CK tactics· 1

Resource Development

References

  1. https://attack.mitre.org/techniques/T1583/004
  2. https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
  3. https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
  4. https://threatconnect.com/blog/infrastructure-research-hunting/
  5. https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
T1583.004: Server | SQUR Knowledge Base