T1584.003SubTechniqueresource-developmentagent-callable

T1584.003Virtual Private Server

Sub-technique of T1584

Platforms: PRE

ATT&CK version: 14.1

What it is

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig) Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.

ATT&CK tactics· 1

Resource Development

References

  1. https://attack.mitre.org/techniques/T1584/003
  2. https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf
  3. https://threatconnect.com/blog/infrastructure-research-hunting/
  4. https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
  5. https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.