Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1583: Acquire Infrastructure

Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[1] Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.[2] Additionally, botnets are available for rent or purchase.

Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support Proxy, including from residential proxy services.[3][4][5] Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

EnterpriseT1583TechniqueObject v1.5 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Acquire Infrastructure is an early-stage adversary behavior: before an intrusion, an actor may obtain domains, servers, VPS/cloud resources, DNS services, web services, serverless infrastructure, ads, or botnet access to support later targeting. For leaders, the significance is that some risk is visible before compromise if teams monitor external infrastructure patterns, brand/domain abuse, suspicious hosting, and threat intelligence indicators. This technique matters because adversary-controlled or abused third-party infrastructure can make phishing, proxying, command-and-control, and other operations look like normal Internet or cloud activity.

Executive priority

Treat this as a pre-compromise risk and readiness issue, not only a SOC alerting problem. Executives should ask whether the organization has a defined process for identifying infrastructure that may be preparing to target the business, including lookalike domains, suspicious DNS changes, malicious or deceptive ads, abuse of common web services, and infrastructure linked by threat intelligence. Priority should be given to controls and evidence that reduce attack surface, support incident triage, and demonstrate proactive monitoring during audits or post-incident reviews. Because ATT&CK maps this to Resource Development on platform PRE, success depends heavily on external visibility, threat intelligence, and pre-compromise mitigation rather than endpoint telemetry alone.

Technical view

MITRE does not provide official detection text for T1583, but the relationship set includes DET0895, Detection of Acquire Infrastructure, and mitigation M1056, Pre-compromise. SOC, threat intelligence, and detection engineering teams should validate coverage across the related sub-techniques: Domains, DNS Server, Virtual Private Server, Server, Botnet, Web Services, Serverless, and Malvertising. Practical validation should focus on whether teams can correlate external infrastructure observations with internal security events, such as phishing reports, DNS/proxy activity, authentication anomalies, and command-and-control investigations. The relationship context shows multiple groups using this behavior, but that should be used for intelligence context and prioritization, not as proof of local targeting.

Likely telemetry

  • Threat intelligence reporting and infrastructure enrichment for domains, IPs, hosting providers, web services, DNS servers, and serverless endpoints
  • Domain registration, passive DNS, certificate transparency, DNS resolution, and registrar-related data where available
  • External attack surface and Internet scan data relevant to servers, VPS/cloud infrastructure, and exposed services
  • Email security, phishing-reporting, and URL analysis evidence for newly observed or suspicious domains and web services
  • Web proxy, secure web gateway, firewall, and DNS logs showing connections to newly acquired or suspicious infrastructure

Detection direction

  • Start with inventory: confirm which T1583 sub-technique categories the organization can observe externally and which require third-party threat intelligence or managed detection support.
  • Tune for context rather than single indicators. Newly registered domains, VPS/cloud hosting, public web services, or serverless infrastructure can be legitimate, so detections should combine reputation, timing, naming similarity, DNS/certificate changes, campaign context, and internal touchpoints.
  • Correlate pre-compromise infrastructure findings with internal telemetry such as phishing submissions, DNS/proxy logs, authentication events, and endpoint/network investigations.
  • Account for blind spots: infrastructure can be rapidly provisioned, modified, and shut down; common web services and residential or other proxy infrastructure may blend with normal traffic; and PRE-stage activity may occur before any endpoint event exists.
  • Use relationship-driven context carefully. Known groups mapped to this technique can inform threat intelligence requirements, but local detection should be based on observed infrastructure behavior and organization-specific exposure.

Mitigation priorities

  • Prioritize M1056 Pre-compromise measures: reduce exposed attack surface, identify adversarial preparation efforts, and increase the cost of using infrastructure against the organization.
  • Implement or validate brand/domain monitoring, suspicious domain triage, and processes for rapid blocking or takedown referral where appropriate.
  • Maintain external attack surface visibility so suspicious infrastructure can be compared against legitimate organizational assets, partners, and cloud services.
  • Ensure email, DNS, proxy, firewall, and cloud logging are retained and searchable for incident response when suspicious infrastructure is identified.
  • Define escalation paths between threat intelligence, SOC, incident response, legal/brand protection, and cloud/security operations for infrastructure-related findings.
Analyst notes and limits

This object is a parent technique with rich sub-technique context. The strongest defensive value comes from mapping the organization’s visibility against Domains, DNS Server, VPS, Server, Botnet, Web Services, Serverless, and Malvertising rather than treating Acquire Infrastructure as one generic alert. External references supplied by MITRE include reporting on leased criminal hosting, free-trial cloud resource abuse, residential/proxy infrastructure, external detection using scan data, and infrastructure hunting, which supports a threat-intelligence and pre-compromise monitoring emphasis.

Official ATT&CK detection text is not provided for T1583 in the supplied fields. The object is platform PRE, so many observations occur outside the defended environment and may require external data sources, threat intelligence, or third-party monitoring. Relationships to groups show reported use, but they do not establish current activity against any specific organization. Local business risk, telemetry availability, and control effectiveness must be validated in the organization’s own environment.

Official MITRE ATT&CK definition

Acquire Infrastructure

Adversaries may buy, lease, rent, or obtain infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.[1] Some infrastructure providers offer free trial periods, enabling infrastructure acquisition at limited to no cost.[2] Additionally, botnets are available for rent or purchase.

Use of these infrastructure solutions allows adversaries to stage, launch, and execute operations. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contacting third-party web services or acquiring infrastructure to support Proxy, including from residential proxy services.[3][4][5] Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1583.008 Malvertising Sub-technique Malvertising subtechnique of this object.
Enterprise T1583.001 Domains Sub-technique Domains subtechnique of this object.
Enterprise T1583.005 Botnet Sub-technique Botnet subtechnique of this object.
Enterprise T1583.004 Server Sub-technique Server subtechnique of this object.
Enterprise T1583.002 DNS Server Sub-technique DNS Server subtechnique of this object.
Enterprise T1583.003 Virtual Private Server Sub-technique Virtual Private Server subtechnique of this object.
Enterprise T1583.007 Serverless Sub-technique Serverless subtechnique of this object.
Enterprise T1583.006 Web Services Sub-technique Web Services subtechnique of this object.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0094: Kimsuky

Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]

Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]

DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.

Group Enterprise

G1041: Sea Turtle

Sea Turtle is a Türkiye-linked threat actor active since at least 2017 performing espionage and service provider compromise operations against victims in Asia, Europe, and North America. Sea Turtle is notable for targeting registrars managing ccTLDs and complex DNS-based intrusions where the threat actor compromised DNS providers to hijack DNS resolution for ultimate victims, enabling Sea Turtle to spoof log in portals and other applications for credential collection.[1][2][3][4]

Group Enterprise

G1003: Ember Bear

Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]

Group Enterprise

G1030: Agrius

Agrius is an Iranian threat actor active since 2020 notable for a series of ransomware and wiper operations in the Middle East, with an emphasis on Israeli targets.[1][2] Public reporting has linked Agrius to Iran's Ministry of Intelligence and Security (MOIS).[3]

Group Enterprise

G0034: Sandworm Team

Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]

In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]

Group Enterprise

G1033: Star Blizzard

Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G0094: Kimsuky Enterprise uses · Group G1041: Sea Turtle Enterprise subtechnique of · Technique T1583.008: Malvertising Enterprise uses · Group G1003: Ember Bear Enterprise subtechnique of · Technique T1583.001: Domains Enterprise uses · Group G0119: Indrik Spider Enterprise subtechnique of · Technique T1583.005: Botnet Enterprise uses · Group G1030: Agrius Enterprise subtechnique of · Technique T1583.004: Server Enterprise subtechnique of · Technique T1583.002: DNS Server Enterprise subtechnique of · Technique T1583.003: Virtual Private Server Enterprise subtechnique of · Technique T1583.007: Serverless Enterprise uses · Group G1052: Contagious Interview Enterprise uses · Group G0034: Sandworm Team Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise detects · Detection Strategy DET0895: Detection of Acquire Infrastructure Enterprise uses · Group G1033: Star Blizzard Enterprise subtechnique of · Technique T1583.006: Web Services Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.5
Created
Modified
Raw hash
a4802bebf1e8dc72...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.5 Current bundle a4802bebf1e8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    TrendmicroHideoutsLease

    Max Goncharov. (2015, July 15). Criminal Hideouts for Lease: Bulletproof Hosting Services. Retrieved March 6, 2017.

    Open source URL
  2. [2]
    Free Trial PurpleUrchin

    Gamazo, William. Quist, Nathaniel.. (2023, January 5). PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources. Retrieved February 28, 2024.

    Open source URL
  3. [3]
    amnesty_nso_pegasus

    Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved February 22, 2022.

    Open source URL
  4. [4]
    FBI Proxies Credential Stuffing

    FBI. (2022, August 18). Proxies and Configurations Used for Credential Stuffing Attacks on Online Customer Accounts . Retrieved July 6, 2023.

    Open source URL
  5. [5]
    Mandiant APT29 Microsoft 365 2022

    Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023.

    Open source URL
  6. [6]
    Koczwara Beacon Hunting Sep 2021

    Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.

    Open source URL
  7. [7]
    Mandiant SCANdalous Jul 2020

    Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.

    Open source URL
  8. [8]
    ThreatConnect Infrastructure Dec 2020

    ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.

    Open source URL
  9. [9]
    mitre-attack T1583
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use