T1584
Compromise Infrastructure
インフラの侵害

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[1][2][3][4] Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

攻撃者は、攻撃中に使用することができるサードパーティのインフラを侵害することがあります。インフラのソリューションには、物理サーバ、クラウドサーバ、ドメイン、サードパーティのウェブサービスやDNSサービスなどが含まれます。攻撃者は、インフラを購入、リース、またはレンタルする代わりに、インフラを侵害し、攻撃者のライフサイクルの他のフェーズでそれを使用することがあります[1][2][3][4]。

さらに、攻撃者は、多数のマシンを侵害し、ボットネットを形成して、それを利用することもあります。

Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with Digital Certificates) to further blend in and support staged information gathering and/or Phishing campaigns.[5]

攻撃者は、侵害されたインフラを使用することで、作戦の準備、開始、実行を行うことができます。侵害されたインフラは、攻撃者の作戦を、高い評価を得ているサイトや信頼できるサイトとの接触など、通常のトラフィックに紛れ込ませることができます。例えば、攻撃者は、侵害されたインフラ(可能性として、デジタル証明書との組み合わせ)を利用して、さらに紛れ込み、段階的な情報収集やフィッシング・キャンペーンをサポートするために利用することができます[5]。

By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.[6]

攻撃者は、侵害されたインフラを利用することで、自分たちの行動を自分たちに結びつけることを難しくすることができます。攻撃に先立ち、攻撃者は他の攻撃者のインフラを侵害することもあります。[6]

ID: T1584
Platforms: PRE
Contributors: Jeremy Galloway
Version: 1.2
Created: 01 October 2020
Last Modified: 26 July 2022

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0038 Domain Name Active DNS

Monitor for queried domain name system (DNS) registry data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

    Domain Registration

Consider monitoring for anomalous changes to domain registrant information and/or domain resolution information that may indicate the compromise of a domain. Efforts may need to be tailored to specific domains of interest as benign registration and resolution changes are a common occurrence on the internet.

    Passive DNS

Monitor for logged domain name system (DNS) data that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

DS0035 Internet Scan Response Content

Once adversaries have provisioned compromised infrastructure (ex: a server for use in command and control), internet scans may help proactively discover compromised infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[7][8][9]

    Response Metadata

Monitor for contextual data about an Internet-facing resource gathered from a scan, such as running services or ports that may compromise third-party infrastructure that can be used during targeting. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References