T1584: Compromise Infrastructure

Data from MITRE ATT&CK®:

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with Digital Certificates) to further blend in and support staged information gathering and/or Phishing campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support Proxy and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)

By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Active DNS (Domain Name)

Queried domain name system (DNS) registry data highlighting current domain to IP address resolutions (ex: dig/nslookup queries)

Domain Registration (Domain Name)

Information about domain name assignments and other domain metadata (ex: WHOIS)

Response Content (Internet Scan)

Logged network traffic in response to a scan showing both protocol header and body values

Passive DNS (Domain Name)

Logged domain name system (DNS) data highlighting timelines of domain to IP address resolutions (ex: passive DNS)

Response Metadata (Internet Scan)

Contextual data about an Internet-facing resource gathered from a scan, such as running services or ports

Search-ms and WebDAV Suspicious Indicators in URL

proxy

Windows Update Error

windows

Program Executions in Suspicious Folders

linux