T1584.003
Compromise Infrastructure: Virtual Private Server

ID Name
T1584.001 Domains
T1584.002 DNS Server
T1584.003 Virtual Private Server
T1584.004 Server
T1584.005 Botnet
T1584.006 Web Services
T1584.007 Serverless

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.[1]

攻撃者は、攻撃中にサードパーティの仮想プライベートサーバ(VPS)を侵害することがあります。現在、仮想マシンやコンテナをサービスとして販売する様々なクラウドサービスプロバイダーが存在します。攻撃者は、サードパーティが購入したVPSを侵害することがあります。攻撃者は、インフラとして使用するVPSを侵害することで、作戦を自分たちに物理的に結びつけることを困難にすることができます[1]。

Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.

攻撃者のライフサイクルの後期段階、例えばコマンド&コントロールに使用するためにVPSを侵害すると、侵害されたサードパーティによって追加されたものだけでなく、より評価の高いクラウドサービスプロバイダーに関連する普遍性と信頼から、攻撃者が利益を得ることができるようになります。

ID: T1584.003
Sub-technique of:  T1584
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 17 October 2021

Procedure Examples

ID Name Description
G0010 Turla

Turla has used the VPS infrastructure of compromised Iranian threat actors.[1]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

Once adversaries have provisioned software on a compromised VPS (ex: for use as a command and control server), internet scans may reveal VPSs that adversaries have compromised. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[2][3][4]

    Response Metadata

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

References

  1. NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
  2. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
  1. Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.
  2. Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.

連絡先:@amj_trans

 

MITRE ATT&CK 日本語化プロジェクト