T1584 Compromise Infrastructure Mappings

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.hacking.variety.Unknown Unknown related-to T1584 Compromise Infrastructure
action.malware.vector.Web application - download Web via user-executed or downloaded content. Child of 'Web application'. related-to T1584 Compromise Infrastructure
value_chain.distribution.variety.Other The variety of distribution was known, but is not listed related-to T1584 Compromise Infrastructure
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584 Compromise Infrastructure

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1584.005 Botnet 4
T1584.002 DNS Server 4
T1584.001 Domains 4
T1584.004 Server 3
T1584.003 Virtual Private Server 3
T1584.006 Web Services 3