MITRE ATT&CK Technique
Description
Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked) Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T00:48:09.578Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may buy, lease, rent, or obtain physical '
'servers\xa0that can be used during targeting. Use of servers '
'allows an adversary to stage, launch, and execute an '
'operation. During post-compromise activity, adversaries may '
'utilize servers for various tasks, such as watering hole '
'operations in [Drive-by '
'Compromise](https://attack.mitre.org/techniques/T1189), '
'enabling '
'[Phishing](https://attack.mitre.org/techniques/T1566) '
'operations, or facilitating [Command and '
'Control](https://attack.mitre.org/tactics/TA0011). Instead of '
'compromising a third-party '
'[Server](https://attack.mitre.org/techniques/T1584/004) or '
'renting a [Virtual Private '
'Server](https://attack.mitre.org/techniques/T1583/003), '
'adversaries may opt to configure and run their own servers in '
'support of operations. Free trial periods of cloud servers '
'may also be abused.(Citation: Free Trial '
'PurpleUrchin)(Citation: Freejacked) \n'
'\n'
'Adversaries may only need a lightweight setup if most of '
'their activities will take place using online infrastructure. '
'Or, they may need to build extensive infrastructure if they '
'want to test, communicate, and control other aspects of their '
'activities on their own systems.(Citation: NYTStuxnet)',
'external_references': [{'external_id': 'T1583.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1583/004'},
{'description': 'Clark, Michael. (2023, August 14). '
'Google’s Vertex AI Platform Gets '
'Freejacked. Retrieved February 28, '
'2024.',
'source_name': 'Freejacked',
'url': 'https://sysdig.com/blog/googles-vertex-ai-platform-freejacked/'},
{'description': 'Gamazo, William. Quist, Nathaniel.. '
'(2023, January 5). PurpleUrchin '
'Bypasses CAPTCHA and Steals Cloud '
'Platform Resources. Retrieved '
'February 28, 2024.',
'source_name': 'Free Trial PurpleUrchin',
'url': 'https://unit42.paloaltonetworks.com/purpleurchin-steals-cloud-resources/'},
{'description': 'Koczwara, M. (2021, September 7). '
'Hunting Cobalt Strike C2 with '
'Shodan. Retrieved October 12, 2021.',
'source_name': 'Koczwara Beacon Hunting Sep 2021',
'url': 'https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2'},
{'description': 'Stephens, A. (2020, July 13). '
'SCANdalous! (External Detection '
'Using Network Scan Data and '
'Automation). Retrieved November 17, '
'2024.',
'source_name': 'Mandiant SCANdalous Jul 2020',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/'},
{'description': 'ThreatConnect. (2020, December 15). '
'Infrastructure Research and Hunting: '
'Boiling the Domain Ocean. Retrieved '
'October 12, 2021.',
'source_name': 'ThreatConnect Infrastructure Dec '
'2020',
'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'},
{'description': 'William J. Broad, John Markoff, and '
'David E. Sanger. (2011, January 15). '
'Israeli Test on Worm Called Crucial '
'in Iran Nuclear Delay. Retrieved '
'March 1, 2017.',
'source_name': 'NYTStuxnet',
'url': 'https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html'}],
'id': 'attack-pattern--60c4b628-4807-4b0b-bbf5-fdac8643c337',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:48:50.911Z',
'name': 'Server',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Dor Edry, Microsoft'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.3'}