MITRE ATT&CK Technique
Resource Development
T1584.004
Description
Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control.(Citation: TrendMicro EarthLusca 2022) Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations. Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or email servers to support [Phishing](https://attack.mitre.org/techniques/T1566) operations.
Supported Platforms
PRE
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T00:56:25.135Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may compromise third-party servers that can be '
'used during targeting. Use of servers allows an adversary to '
'stage, launch, and execute an operation. During '
'post-compromise activity, adversaries may utilize servers for '
'various tasks, including for Command and Control.(Citation: '
'TrendMicro EarthLusca 2022) Instead of purchasing a '
'[Server](https://attack.mitre.org/techniques/T1583/004) or '
'[Virtual Private '
'Server](https://attack.mitre.org/techniques/T1583/003), '
'adversaries may compromise third-party servers in support of '
'operations.\n'
'\n'
'Adversaries may also compromise web servers to support '
'watering hole operations, as in [Drive-by '
'Compromise](https://attack.mitre.org/techniques/T1189), or '
'email servers to support '
'[Phishing](https://attack.mitre.org/techniques/T1566) '
'operations.',
'external_references': [{'external_id': 'T1584.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1584/004'},
{'description': 'Chen, J., et al. (2022). Delving '
'Deep: An Analysis of Earth Lusca’s '
'Operations. Retrieved July 1, 2022.',
'source_name': 'TrendMicro EarthLusca 2022',
'url': 'https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf'},
{'description': 'Koczwara, M. (2021, September 7). '
'Hunting Cobalt Strike C2 with '
'Shodan. Retrieved October 12, 2021.',
'source_name': 'Koczwara Beacon Hunting Sep 2021',
'url': 'https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2'},
{'description': 'Stephens, A. (2020, July 13). '
'SCANdalous! (External Detection '
'Using Network Scan Data and '
'Automation). Retrieved November 17, '
'2024.',
'source_name': 'Mandiant SCANdalous Jul 2020',
'url': 'https://cloud.google.com/blog/topics/threat-intelligence/scandalous-external-detection-using-network-scan-data-and-automation/'},
{'description': 'ThreatConnect. (2020, December 15). '
'Infrastructure Research and Hunting: '
'Boiling the Domain Ocean. Retrieved '
'October 12, 2021.',
'source_name': 'ThreatConnect Infrastructure Dec '
'2020',
'url': 'https://threatconnect.com/blog/infrastructure-research-hunting/'}],
'id': 'attack-pattern--e196b5c5-8118-4a1c-ab8a-936586ce3db5',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:30.616Z',
'name': 'Server',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Dor Edry, Microsoft'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.2'}