T1584.003 Virtual Private Server Mappings

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)

Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.hacking.variety.Unknown Unknown related-to T1584.003 Compromise Infrastructure: Virtual Private Server
value_chain.distribution.variety.Compromised server malicious content added to a benign server, such as a webserver, by the actor, without the permission or necessarily knowledge of the server’s owner related-to T1584.003 Compromise Infrastructure: Virtual Private Server
value_chain.non-distribution services.variety.Other The variety of non-distribution service required is known, but is not listed related-to T1584.003 Compromise Infrastructure: Virtual Private Server