title: "Compromise Infrastructure: Server (T1584.004)"
id: df00tech-t1584-004
status: experimental
description: "Adversaries may compromise third-party servers to stage, launch, and execute operations. Rather than purchasing dedicated infrastructure, threat actors hijack legitimate servers — including web servers, mail servers, and application servers — to host malware, serve as command-and-control nodes, support phishing campaigns, or enable watering hole attacks. Because the compromised servers are legitimately owned by third parties, traffic to and from them may blend in with normal business activity. Real-world examples include Lazarus Group staging malware on compromised servers, Volt Typhoon using compromised PRTG monitoring servers for C2, Sandworm compromising EXIM mail servers for campaign infrastructure, and Dragonfly leveraging legitimate websites to host C2 and malware modules."
references:
  - https://attack.mitre.org/techniques/T1584/004/
  - https://df00tech.com/detections/T1584.004
author: df00tech
date: 2026/03/13
tags:
  - attack.t1584.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: network_connection
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software update services or CDN endpoints that have been flagged as TI hits due to shared IP space with previously malicious infrastructure
  - "Monitoring and telemetry agents (Datadog, Dynatrace, Splunk UF, PRTG) that beacon home at regular intervals, triggering the beaconing pattern branch"
  - "Business applications with regular API polling (CRM sync, ERP integrations, health check daemons) creating periodic connection patterns that resemble C2 beaconing"
  - Cloud provider metadata endpoints or service discovery mechanisms that appear as repeated connections to the same external IP
  - False TI hits from third-party threat feeds with low-quality indicators — particularly providers that add entire cloud provider IP ranges or CDN prefixes
level: high