Description
Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked)
Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
Platforms
Mitigations (1)
Pre-compromiseM1056
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0093 | GALLIUM | [GALLIUM](https://attack.mitre.org/groups/G0093) has used Taiwan-based servers that appear to be exclusive to [GALLIUM](https://attack.mitre.org/group... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has purchased hosting servers with virtual currency and prepaid cards.(Citation: KISA Operation Muzab... |
| G0034 | Sandworm Team | [Sandworm Team](https://attack.mitre.org/groups/G0034) has leased servers from resellers instead of leasing infrastructure directly from hosting compa... |
| G1055 | VOID MANTICORE | [VOID MANTICORE](https://attack.mitre.org/groups/G1055) has leveraged backend servers within Iran.(Citation: DOJ FBI Handala Hack March 2026) |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has acquired multiple servers for some of their operations, using each server for a different rol... |
| G1020 | Mustard Tempest | [Mustard Tempest](https://attack.mitre.org/groups/G1020) has acquired servers to host second-stage payloads that remain active for a period of either ... |
| G1012 | CURIUM | [CURIUM](https://attack.mitre.org/groups/G1012) has created dedicated servers for command and control and exfiltration purposes.(Citation: PWC Yellow ... |
References
- Clark, Michael. (2023, August 14). Google’s Vertex AI Platform Gets Freejacked. Retrieved February 28, 2024.
- Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.
- Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
- Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
- ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
- William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.
Frequently Asked Questions
What is T1583.004 (Server)?
T1583.004 is a MITRE ATT&CK technique named 'Server'. It belongs to the Resource Development tactic(s). Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise ac...
How can T1583.004 be detected?
Detection of T1583.004 (Server) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1583.004?
There are 1 documented mitigations for T1583.004. Key mitigations include: Pre-compromise.
Which threat groups use T1583.004?
Known threat groups using T1583.004 include: GALLIUM, Kimsuky, Sandworm Team, VOID MANTICORE, Earth Lusca, Mustard Tempest, CURIUM.