title: Server (T1583.004)
id: df00tech-t1583-004
status: experimental
description: "Adversaries may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party server or renting a Virtual Private Server, adversaries may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused. Real-world examples include GALLIUM operating Taiwan-based exclusive servers, Kimsuky purchasing hosting servers with virtual currency and prepaid cards, Sandworm Team leasing servers through resellers to obscure attribution, Earth Lusca acquiring multiple servers with distinct roles per operation, Mustard Tempest hosting second-stage SocGholish payloads on short-lived acquired servers, and CURIUM creating dedicated servers for C2 and exfiltration. Because the adversary action of acquiring the server occurs entirely outside the target environment, detection must focus on identifying the operational use of adversary-controlled server infrastructure: C2 beaconing patterns, connections to known malicious hosting infrastructure, and suspicious DNS resolution to adversary-controlled domains."
references:
  - https://attack.mitre.org/techniques/T1583/004/
  - https://df00tech.com/detections/T1583.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1583.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Monitoring and telemetry agents (Datadog, Elastic Agent, Splunk Universal Forwarder, Dynatrace OneAgent) making regular check-ins to cloud-hosted collection endpoints at consistent intervals"
  - "Software update mechanisms (Chocolatey, WinGet, vendor update services) polling cloud update servers not covered by the known-good domain exclusion list"
  - Enterprise applications with cloud-hosted license servers or API backends making periodic heartbeat connections
  - "Remote management and monitoring tools (ConnectWise, N-able, TeamViewer, Splashtop) maintaining persistent outbound management connections"
  - "Security tools performing regular threat intelligence feed updates, CRL checks, or OCSP queries to non-standard CA endpoints"
  - "DevOps pipeline agents (GitHub Actions runner, Jenkins agent, GitLab runner) polling orchestration servers at regular intervals"
level: medium