T1587: Develop Capabilities

Data from MITRE ATT&CK®:

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)

As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Pre-compromise

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

Response Content (Internet Scan)

Logged network traffic in response to a scan showing both protocol header and body values

Malware Metadata (Malware Repository)

Contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information

Malware Content (Malware Repository)

Code, strings, and other signatures that compromise a malicious payload

Linux HackTool Execution

linux process creation

Program Executions in Suspicious Folders

linux

HackTool - PurpleSharp Execution

windows process creation