T1584.004SubTechniqueresource-developmentagent-callable

T1584.004Server

Sub-technique of T1584

Platforms: PRE

ATT&CK version: 14.1

What it is

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.

ATT&CK tactics· 1

Resource Development

References

  1. https://attack.mitre.org/techniques/T1584/004
  2. https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
  3. https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
  4. https://threatconnect.com/blog/infrastructure-research-hunting/
Sourced from MITRE ATT&CK Enterprise v14.1. Curated and contextualized for EU compliance use cases by Adam Lundqvist, Founder at SQUR.