Threat actors may buy, lease, rent, or obtain physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, Threat actors may utilize servers for various tasks, such as watering hole operations in Drive-by Compromise, enabling Phishing operations, or facilitating Command and Control. Instead of compromising a third-party Server or renting a Virtual Private Server, Threat actors may opt to configure and run their own servers in support of operations. Free trial periods of cloud servers may also be abused.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.