MITRE ATT&CK Technique
Description
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage. Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) to further blend in and support staged information gathering and/or [Phishing](https://attack.mitre.org/techniques/T1566) campaigns.(Citation: FireEye DNS Hijack 2019) Adversaries may also compromise numerous machines to support [Proxy](https://attack.mitre.org/techniques/T1090) and/or proxyware services or to form a botnet.(Citation: amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) Additionally, adversaries may compromise infrastructure residing in close proximity to a target in order to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) via [Wi-Fi Networks](https://attack.mitre.org/techniques/T1669).(Citation: Nearest Neighbor Volexity) By using compromised infrastructure, adversaries may enable follow-on malicious operations. Prior to targeting, adversaries may also compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T00:36:30.759Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may compromise third-party infrastructure that '
'can be used during targeting. Infrastructure solutions '
'include physical or cloud servers, domains, network devices, '
'and third-party web and DNS services. Instead of buying, '
'leasing, or renting infrastructure an adversary may '
'compromise infrastructure and use it during other phases of '
'the adversary lifecycle.(Citation: Mandiant APT1)(Citation: '
'ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov '
'2018)(Citation: FireEye EPS Awakens Part 2) Additionally, '
'adversaries may compromise numerous machines to form a botnet '
'they can leverage.\n'
'\n'
'Use of compromised infrastructure allows adversaries to '
'stage, launch, and execute operations. Compromised '
'infrastructure can help adversary operations blend in with '
'traffic that is seen as normal, such as contact with high '
'reputation or trusted sites. For example, adversaries may '
'leverage compromised infrastructure (potentially also in '
'conjunction with [Digital '
'Certificates](https://attack.mitre.org/techniques/T1588/004)) '
'to further blend in and support staged information gathering '
'and/or [Phishing](https://attack.mitre.org/techniques/T1566) '
'campaigns.(Citation: FireEye DNS Hijack 2019) Adversaries may '
'also compromise numerous machines to support '
'[Proxy](https://attack.mitre.org/techniques/T1090) and/or '
'proxyware services or to form a botnet.(Citation: '
'amnesty_nso_pegasus)(Citation: Sysdig Proxyjacking) '
'Additionally, adversaries may compromise infrastructure '
'residing in close proximity to a target in order to gain '
'[Initial Access](https://attack.mitre.org/tactics/TA0001) via '
'[Wi-Fi '
'Networks](https://attack.mitre.org/techniques/T1669).(Citation: '
'Nearest Neighbor Volexity)\n'
'\n'
'By using compromised infrastructure, adversaries may enable '
'follow-on malicious operations. Prior to targeting, '
'adversaries may also compromise the infrastructure of other '
'adversaries.(Citation: NSA NCSC Turla OilRig)',
'external_references': [{'external_id': 'T1584',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1584'},
{'description': 'Amnesty International Security Lab. '
'(2021, July 18). Forensic '
'Methodology Report: How to catch NSO '
'Group’s Pegasus. Retrieved February '
'22, 2022.',
'source_name': 'amnesty_nso_pegasus',
'url': 'https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/'},
{'description': 'Crystal Morin. (2023, April 4). '
'Proxyjacking has Entered the Chat. '
'Retrieved July 6, 2023.',
'source_name': 'Sysdig Proxyjacking',
'url': 'https://sysdig.com/blog/proxyjacking-attackers-log4j-exploited/'},
{'description': 'Hirani, M., Jones, S., Read, B. '
'(2019, January 10). Global DNS '
'Hijacking Campaign: DNS Record '
'Manipulation at Scale. Retrieved '
'October 9, 2020.',
'source_name': 'FireEye DNS Hijack 2019',
'url': 'https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html'},
{'description': 'ICANN Security and Stability '
'Advisory Committee. (2005, July 12). '
'Domain Name Hijacking: Incidents, '
'Threats, Risks and Remediation. '
'Retrieved November 17, 2024.',
'source_name': 'ICANNDomainNameHijacking',
'url': 'https://www.icann.org/en/ssac/registration-services/documents/sac-007-domain-name-hijacking-incidents-threats-risks-and-remediation-12-07-2005-en'},
{'description': 'Koczwara, M. (2021, September 7). '
'Hunting Cobalt Strike C2 with '
'Shodan. Retrieved October 12, 2021.',
'source_name': 'Koczwara Beacon Hunting Sep 2021',
'url': 'https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2'},
{'description': 'Koessel, Sean. Adair, Steven. '
'Lancaster, Tom. (2024, November 22). '
'The Nearest Neighbor Attack: How A '
'Russian APT Weaponized Nearby Wi-Fi '
'Networks for Covert Access. '
'Retrieved February 25, 2025.',
'source_name': 'Nearest Neighbor Volexity',
'url': 'https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/'},
{'description': 'Mandiant. (n.d.). APT1 Exposing One '
'of China’s Cyber Espionage Units. '
'Retrieved July 18, 2016.',
'source_name': 'Mandiant APT1',
'url': 'https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf'},
{'description': 'Mercer, W., Rascagneres, P. (2018, '
'November 27). DNSpionage Campaign '
'Targets Middle East. Retrieved '
'October 9, 2020.',
'source_name': 'Talos DNSpionage Nov 2018',
'url': 'https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html'},
{'description': 'NSA/NCSC. (2019, October 21). '
'Cybersecurity Advisory: Turla Group '
'Exploits Iranian APT To Expand '
'Coverage Of Victims. Retrieved '
'October 16, 2020.',
'source_name': 'NSA NCSC Turla OilRig',
'url': 'https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf'},
{'description': 'Stephens, A. (2020, July 13). '
'SCANdalous! (External Detection '
'Using Network Scan Data and '
'Automation). Retrieved November 17, '
'2024.',
'source_name': 'Mandiant SCANdalous Jul 2020',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/'},
{'description': 'ThreatConnect. (2020, December 15). '
'Infrastructure Research and Hunting: '
'Boiling the Domain Ocean. Retrieved '
'October 12, 2021.',
'source_name': 'ThreatConnect Infrastructure Dec '
'2020',
'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'},
{'description': 'Winters, R. (2015, December 20). The '
'EPS Awakens - Part 2. Retrieved '
'January 22, 2016.',
'source_name': 'FireEye EPS Awakens Part 2',
'url': 'https://web.archive.org/web/20151226205946/https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html'}],
'id': 'attack-pattern--7e3beebd-8bfe-4e7b-a892-e44ab06a75f9',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:01.181Z',
'name': 'Compromise Infrastructure',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Jeremy Galloway',
'Shailesh Tiwary (Indian Army)',
'Menachem Goldstein',
'Cian Heasley',
'Rouven Bissinger (SySS GmbH)'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.6'}