Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with Digital Certificates) to further blend in and support staged information gathering and/or Phishing campaigns.(Citation: FireEye DNS Hijack 2019) Additionally, adversaries may also compromise infrastructure to support Proxy and/or proxyware services.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking)
By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Unknown | Unknown | related-to | T1584 | Compromise Infrastructure | |
| action.malware.vector.Web application - download | Web via user-executed or downloaded content. Child of 'Web application'. | related-to | T1584 | Compromise Infrastructure |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| azure_dns_alias_records | Azure DNS Alias Records | technique_scores | T1584 | Compromise Infrastructure |
Comments
This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score factor is Minimal, resulting in a Minimal score.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1584 | Compromise Infrastructure |
Comments
This control only addresses one of the technique's sub-techniques, resulting in a score of Minimal.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1584.008 | Network Devices | 2 |
| T1584.003 | Virtual Private Server | 1 |
| T1584.005 | Botnet | 3 |
| T1584.006 | Web Services | 1 |
| T1584.002 | DNS Server | 5 |
| T1584.007 | Serverless | 2 |
| T1584.004 | Server | 1 |
| T1584.001 | Domains | 4 |