MITRE ATT&CK / T1583.004
T1583.004
Server
Description
Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), enabling [Phishing](https://attack.mitre.org/techniques/T1566) operations, or facilitating [Command and Control](https://attack.mitre.org/tactics/TA0011). Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.(Citation: Free Trial PurpleUrchin)(Citation: Freejacked)Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)
Platforms
Mitigations
- M1056 — Pre-compromise
Use our free MITRE ATT&CK lookup tool, or browse the full ATT&CK matrix.
Our coverage
- Screening Serpens: Iranian APT Fuses AppDomainManager Hijacking with New RATs in 2026 Espionage Campaign
- CVE-2026-9082: Critical Drupal SQL Injection Under Attack on Thousands of Sites
- Kali365 PhaaS Kit Bypasses Microsoft 365 MFA via Device Code Phishing — FBI Warning
- Megalodon: Supply Chain Attack Backdoors 5,561 GitHub Repos in Six Hours via CI/CD Workflow Injection
- Stack String Obfuscation in C: The Technique That Blinds AV, YARA, and Static Scanners
Source: MITRE ATT&CK Enterprise matrix. View on attack.mitre.org →