MITRE ATT&CK Technique
Resource Development
T1584.003
Description
Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig) Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.
Supported Platforms
PRE
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T00:55:17.771Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may compromise third-party Virtual Private '
'Servers (VPSs) that can be used during targeting. There exist '
'a variety of cloud service providers that will sell virtual '
'machines/containers as a service. Adversaries may compromise '
'VPSs purchased by third-party entities. By compromising a VPS '
'to use as infrastructure, adversaries can make it difficult '
'to physically tie back operations to themselves.(Citation: '
'NSA NCSC Turla OilRig)\n'
'\n'
'Compromising a VPS for use in later stages of the adversary '
'lifecycle, such as Command and Control, can allow adversaries '
'to benefit from the ubiquity and trust associated with higher '
'reputation cloud service providers as well as that added by '
'the compromised third-party.',
'external_references': [{'external_id': 'T1584.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1584/003'},
{'description': 'Koczwara, M. (2021, September 7). '
'Hunting Cobalt Strike C2 with '
'Shodan. Retrieved October 12, 2021.',
'source_name': 'Koczwara Beacon Hunting Sep 2021',
'url': 'https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2'},
{'description': 'NSA/NCSC. (2019, October 21). '
'Cybersecurity Advisory: Turla Group '
'Exploits Iranian APT To Expand '
'Coverage Of Victims. Retrieved '
'October 16, 2020.',
'source_name': 'NSA NCSC Turla OilRig',
'url': 'https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf'},
{'description': 'Stephens, A. (2020, July 13). '
'SCANdalous! (External Detection '
'Using Network Scan Data and '
'Automation). Retrieved November 17, '
'2024.',
'source_name': 'Mandiant SCANdalous Jul 2020',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/'},
{'description': 'ThreatConnect. (2020, December 15). '
'Infrastructure Research and Hunting: '
'Boiling the Domain Ocean. Retrieved '
'October 12, 2021.',
'source_name': 'ThreatConnect Infrastructure Dec '
'2020',
'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'}],
'id': 'attack-pattern--39cc9f64-cf74-4a48-a4d8-fe98c54a02e0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:40.055Z',
'name': 'Virtual Private Server',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.1'}