Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1970: Analytic 1970

Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[1][2][3] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

EnterpriseAN1970AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

AN1970 is about using external internet scan data to identify infrastructure an adversary may have provisioned, such as VPS-hosted command-and-control servers, based on observable patterns like listening services, certificates, TLS behavior, or other response artifacts. For leaders, the key point is that this activity often happens outside the organization’s direct visibility, so it is not a normal internal SOC-only detection problem. Its value is in threat intelligence, external infrastructure hunting, and improving readiness for later command-and-control detection.

Executive priority

Treat this as an intelligence and detection-engineering capability decision, not a guaranteed alert source. The business question is whether the organization has enough external visibility, threat intelligence process, and command-and-control monitoring to recognize suspicious infrastructure before or during an incident. This can support incident response triage, managed detection maturity, and audit evidence showing that the organization monitors for external threat infrastructure where feasible, while acknowledging that much of the activity occurs outside enterprise-controlled telemetry.

Technical view

SOC and detection teams should validate whether they can use external scan intelligence and enrichment to identify infrastructure with patterns associated with adversary C2 software, then connect those findings to internal network detections during the Command and Control stage. Because ATT&CK provides no formal detection logic for this analytic and no relationships are supplied, teams should avoid treating external scan matches as standalone proof. Use them as enrichment, pivoting context, or watchlist material that must be correlated with internal DNS, proxy, firewall, TLS, endpoint, or network flow evidence.

Likely telemetry

  • External internet scan data or commercial/open-source scan intelligence
  • Observed service banners and listening service metadata
  • Certificate and TLS/SSL negotiation metadata
  • Response artifacts associated with externally reachable servers
  • Internal DNS, proxy, firewall, network flow, and TLS logs for correlation with suspected infrastructure

Detection direction

  • Confirm whether the organization has access to external scan datasets or intelligence feeds that can support infrastructure hunting.
  • Tune findings around repeatable infrastructure characteristics such as certificates, TLS behavior, exposed services, and response artifacts, while avoiding conclusions based on a single weak indicator.
  • Correlate suspected infrastructure with internal command-and-control telemetry rather than relying on external visibility alone.
  • Document blind spots: adversary infrastructure provisioning usually occurs outside enterprise visibility, and ATT&CK does not provide specific detection logic for this analytic.
  • Account for false positives from benign VPS hosting, shared infrastructure, reused certificates, scanners, research systems, and legitimate administrative services.

Mitigation priorities

  • Prioritize strong command-and-control monitoring and egress visibility because ATT&CK notes the provisioning activity itself may be outside the target organization’s visibility.
  • Integrate external infrastructure intelligence into SOC workflows, incident response playbooks, and threat intelligence review processes.
  • Maintain evidence of enrichment sources and analytic decisions so alerts based on external infrastructure context can be reviewed and defended during investigations or audits.
  • Use suspected infrastructure indicators as risk context for blocking, monitoring, or escalation only after local validation and change-control review.
  • Regularly test whether internal telemetry can confirm or refute communications to externally identified suspicious infrastructure.
Analyst notes and limits

This analytic is most useful as a bridge between threat intelligence and SOC operations. It supports proactive infrastructure hunting and enrichment, but its practical value depends on the organization’s access to external scan data and its ability to correlate that data with internal command-and-control evidence. The supplied ATT&CK object lists platform PRE and no tactic, and no relationship context was supplied.

Official detection logic is not provided. The description explicitly states that much of the activity occurs outside the target organization’s visibility, making detection difficult. No relationships, attributed threat actors, malware, campaigns, mitigations, or confirmed exploitation context were supplied, so this take does not infer coverage, impact, attribution, or exposure.

Official MITRE ATT&CK definition

Analytic 1970

Once adversaries have provisioned a VPS (ex: for use as a command and control server), internet scans may reveal servers that adversaries have acquired. Consider looking for identifiable patterns such as services listening, certificates in use, SSL/TLS negotiation features, or other response artifacts associated with adversary C2 software.[1][2][3] Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5293e97af56f2fe0...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5293e97af56f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  2. [2]
    Mandiant SCANdalous Jul 2020

    Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.

    Open source URL
  3. [3]
    Koczwara Beacon Hunting Sep 2021

    Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.

    Open source URL
  4. [4]
    mitre-attack AN1970
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use