{
    "type": "bundle",
    "id": "bundle--a9415a33-da16-4694-ba0f-7d23a2414d08",
    "spec_version": "2.0",
    "objects": [
        {
            "modified": "2023-03-02T21:34:46.139Z",
            "name": "Acquire Infrastructure",
            "description": "Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.\n\nUse of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support [Proxy](https://attack.mitre.org/techniques/T1090).(Citation: amnesty_nso_pegasus) Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.",
            "kill_chain_phases": [
                {
                    "kill_chain_name": "mitre-attack",
                    "phase_name": "resource-development"
                }
            ],
            "x_mitre_detection": "Consider use of services that may aid in tracking of newly acquired infrastructure, such as WHOIS databases for domain registration information. \n\nOnce adversaries have provisioned infrastructure (ex: a server for use in command and control), internet scans may help proactively discover adversary acquired infrastructure. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.(Citation: ThreatConnect Infrastructure Dec 2020)(Citation: Mandiant SCANdalous Jul 2020)(Citation: Koczwara Beacon Hunting Sep 2021)\n\nDetection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.",
            "x_mitre_platforms": [
                "PRE"
            ],
            "x_mitre_is_subtechnique": false,
            "x_mitre_deprecated": false,
            "x_mitre_domains": [
                "enterprise-attack"
            ],
            "x_mitre_version": "1.2",
            "x_mitre_contributors": [
                "Shailesh Tiwary (Indian Army)"
            ],
            "x_mitre_data_sources": [
                "Internet Scan: Response Metadata",
                "Domain Name: Active DNS",
                "Internet Scan: Response Content",
                "Domain Name: Domain Registration",
                "Domain Name: Passive DNS"
            ],
            "type": "attack-pattern",
            "id": "attack-pattern--0458aab9-ad42-4eac-9e22-706a95bafee2",
            "created": "2020-09-30T16:37:40.271Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "revoked": false,
            "external_references": [
                {
                    "source_name": "mitre-attack",
                    "url": "https://attack.mitre.org/techniques/T1583",
                    "external_id": "T1583"
                },
                {
                    "source_name": "amnesty_nso_pegasus",
                    "description": "Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group\u2019s Pegasus. Retrieved February 22, 2022.",
                    "url": "https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/"
                },
                {
                    "source_name": "Koczwara Beacon Hunting Sep 2021",
                    "description": "Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.",
                    "url": "https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2"
                },
                {
                    "source_name": "TrendmicroHideoutsLease",
                    "description": "Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.",
                    "url": "https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf"
                },
                {
                    "source_name": "Mandiant SCANdalous Jul 2020",
                    "description": "Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved October 12, 2021.",
                    "url": "https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation"
                },
                {
                    "source_name": "ThreatConnect Infrastructure Dec 2020",
                    "description": "ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.",
                    "url": "https://threatconnect.com/blog/infrastructure-research-hunting/"
                }
            ],
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "x_mitre_attack_spec_version": "3.1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
        }
    ]
}