T1584: Compromise Infrastructure
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[1][2][3][4] Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with Digital Certificates) to further blend in and support staged information gathering and/or Phishing campaigns.[5] Adversaries may also compromise numerous machines to support Proxy and/or proxyware services or to form a botnet.[6][7] Additionally, adversaries may compromise infrastructure residing in close proximity to a target in order to gain Initial Access via Wi-Fi Networks.[8]
By using compromised infrastructure, adversaries may enable follow-on malicious operations. Prior to targeting, adversaries may also compromise the infrastructure of other adversaries.[9]
Analyst context for executives and security teams
Compromise Infrastructure matters because adversaries can prepare operations using other people’s trusted assets: domains, DNS servers, VPSs, servers, web services, serverless platforms, network devices, or botnets. For leaders, the practical risk is not just “bad infrastructure,” but malicious activity that may appear to come from reputable or nearby sources, making phishing, proxying, command-and-control, or initial access harder to distinguish from normal business traffic.
Executive priority
Prioritize this as a pre-compromise and resilience issue. Ask whether the organization can protect its own domains, DNS, cloud/serverless assets, web services, and network devices from being repurposed, and whether the SOC can recognize suspicious use of trusted infrastructure before an incident escalates. For critical infrastructure or sites with important Wi-Fi exposure, the APT28 Nearest Neighbor Campaign relationship reinforces the need to treat nearby networks and physical proximity as part of cyber risk planning. Audit and compliance evidence should show proactive attack-surface reduction, ownership controls, monitoring, and incident response paths for abused infrastructure.
Technical view
ATT&CK lists this as a Resource Development technique on PRE infrastructure, with no official detection text provided. Detection work should therefore be validation-driven: confirm visibility into domain/DNS changes, external-facing infrastructure, cloud and serverless access, web-service account activity, network-device exposure, and outbound traffic to infrastructure that appears reputable but behaves unusually. Relationship context points to sub-techniques covering domains, DNS servers, VPSs, servers, botnets, web services, serverless infrastructure, and network devices; coverage should be assessed across each class rather than assuming one network indicator strategy is enough.
Likely telemetry
- Domain registration, registrar account, and DNS record change history for owned domains and delegated zones
- Authoritative DNS, recursive DNS, and passive DNS data where available
- External attack surface inventory and scan results for owned servers, VPSs, cloud, serverless, and network devices
- Cloud, serverless, and web-service authentication and configuration logs
- Network egress logs, proxy logs, firewall logs, and DNS query logs showing communication with unusual or newly observed infrastructure
Detection direction
- Do not rely only on reputation allowlists; the technique explicitly highlights use of high-reputation or trusted sites to blend in.
- Map detections to the related sub-technique classes: domains, DNS servers, VPSs, servers, botnets, web services, serverless, and network devices.
- Validate change-monitoring for DNS records and domain ownership, especially unexpected registrar, nameserver, or record modifications.
- Tune for behavioral anomalies: new infrastructure relationships, unusual DNS changes, unexpected proxy patterns, abnormal cloud/serverless invocations, or outbound traffic inconsistent with business use.
- Account for false positives from legitimate cloud, CDN, web-service, and serverless use; detections should combine context such as asset ownership, timing, account activity, and observed traffic patterns.
Mitigation priorities
- Apply the related M1056 Pre-compromise mitigation approach: reduce exposed attack surface and make adversarial preparation harder before targeting begins.
- Protect owned domains and DNS with strong account controls, change approval, monitoring, and recovery procedures.
- Maintain accurate inventories of internet-facing servers, VPSs, cloud, serverless services, web-service accounts, and network devices.
- Harden and monitor network devices and external services that could be abused as infrastructure even when they are not the attacker’s final target.
- Prepare IR playbooks for domain/DNS hijacking, compromised cloud or web-service accounts, suspicious serverless use, and infrastructure abuse reports.
Analyst notes and limits
This technique is most useful for defensive planning when translated into coverage questions: which infrastructure do we own, which third-party services can act on our behalf, what changes can we prove, and what trusted destinations could hide adversary activity? The campaign relationships show use in critical infrastructure intrusion context and a proximity/Wi-Fi campaign, but they should not be generalized into claims of current targeting without local intelligence.
Official ATT&CK detection text is not provided for T1584. The object describes adversary preparation against third-party infrastructure, so many decisive signals may exist outside the defender’s direct telemetry. Local asset ownership, DNS architecture, cloud usage, web-service dependencies, wireless exposure, and threat-intelligence sources are required to determine actual coverage.
Compromise Infrastructure
Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, network devices, and third-party web and DNS services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.[1][2][3][4] Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.
Use of compromised infrastructure allows adversaries to stage, launch, and execute operations. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. For example, adversaries may leverage compromised infrastructure (potentially also in conjunction with Digital Certificates) to further blend in and support staged information gathering and/or Phishing campaigns.[5] Adversaries may also compromise numerous machines to support Proxy and/or proxyware services or to form a botnet.[6][7] Additionally, adversaries may compromise infrastructure residing in close proximity to a target in order to gain Initial Access via Wi-Fi Networks.[8]
By using compromised infrastructure, adversaries may enable follow-on malicious operations. Prior to targeting, adversaries may also compromise the infrastructure of other adversaries.[9]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1584.003 | Virtual Private Server Sub-technique | Virtual Private Server subtechnique of this object. |
| Enterprise | T1584.002 | DNS Server Sub-technique | DNS Server subtechnique of this object. |
| Enterprise | T1584.006 | Web Services Sub-technique | Web Services subtechnique of this object. |
| Enterprise | T1584.007 | Serverless Sub-technique | Serverless subtechnique of this object. |
| Enterprise | T1584.005 | Botnet Sub-technique | Botnet subtechnique of this object. |
| Enterprise | T1584.004 | Server Sub-technique | Server subtechnique of this object. |
| Enterprise | T1584.008 | Network Devices Sub-technique | Network Devices subtechnique of this object. |
| Enterprise | T1584.001 | Domains Sub-technique | Domains subtechnique of this object. |
Groups, software, and campaigns
C0043: Indian Critical Infrastructure Intrusions
Indian Critical Infrastructure Intrusions is a sequence of intrusions from 2021 through early 2022 linked to People’s Republic of China (PRC) threat actors, particularly RedEcho and Threat Activity Group 38 (TAG38). The intrusions appear focused on IT system breach in Indian electric utility entities and logistics firms, as well as potentially managed service providers operating within India. Although focused on OT-operating entities, there is no evidence this campaign was able to progress beyond IT breach and information gathering to OT environment access.[1][2]
C0051: APT28 Nearest Neighbor Campaign
APT28 Nearest Neighbor Campaign was conducted by APT28 from early February 2022 to November 2024 against organizations and individuals with expertise on Ukraine. APT28 primarily leveraged living-off-the-land techniques, while leveraging the zero-day exploitation of CVE-2022-38028. Notably, APT28 leveraged Wi-Fi networks in close proximity to the intended target to gain initial access to the victim environment. By daisy-chaining multiple compromised organizations nearby the intended target, APT28 discovered dual-homed systems (with both a wired and wireless network connection) to enable Wi-Fi and use compromised credentials to connect to the victim network.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.6 | Current bundle | dfe5522238d1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT1
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL -
[2]
ICANNDomainNameHijacking
ICANN Security and Stability Advisory Committee. (2005, July 12). Domain Name Hijacking: Incidents, Threats, Risks and Remediation. Retrieved November 17, 2024.
Open source URL -
[3]
Talos DNSpionage Nov 2018
Mercer, W., Rascagneres, P. (2018, November 27). DNSpionage Campaign Targets Middle East. Retrieved October 9, 2020.
Open source URL -
[4]
FireEye EPS Awakens Part 2
Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
Open source URL -
[5]
FireEye DNS Hijack 2019
Hirani, M., Jones, S., Read, B. (2019, January 10). Global DNS Hijacking Campaign: DNS Record Manipulation at Scale. Retrieved October 9, 2020.
Open source URL -
[6]
amnesty_nso_pegasus
Amnesty International Security Lab. (2021, July 18). Forensic Methodology Report: How to catch NSO Group’s Pegasus. Retrieved February 22, 2022.
Open source URL -
[7]
Sysdig Proxyjacking
Crystal Morin. (2023, April 4). Proxyjacking has Entered the Chat. Retrieved July 6, 2023.
Open source URL -
[8]
Nearest Neighbor Volexity
Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.
Open source URL -
[9]
NSA NCSC Turla OilRig
NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
Open source URL -
[10]
Koczwara Beacon Hunting Sep 2021
Koczwara, M. (2021, September 7). Hunting Cobalt Strike C2 with Shodan. Retrieved October 12, 2021.
Open source URL -
[11]
Mandiant SCANdalous Jul 2020
Stephens, A. (2020, July 13). SCANdalous! (External Detection Using Network Scan Data and Automation). Retrieved November 17, 2024.
Open source URL -
[12]
ThreatConnect Infrastructure Dec 2020
ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.
Open source URL -
[13]
mitre-attack T1584Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.