T1587 Develop Capabilities
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.1234
As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.
| Item | Value |
|---|---|
| ID | T1587 |
| Sub-techniques | T1587.001, T1587.002, T1587.003, T1587.004 |
| Tactics | TA0042 |
| Platforms | PRE |
| Version | 1.1 |
| Created | 01 October 2020 |
| Last Modified | 17 October 2021 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0094 | Kimsuky | Kimsuky created and used a mailing toolkit to use in spearphishing attacks.6 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0035 | Internet Scan | Response Content |
| DS0004 | Malware Repository | Malware Content |
References
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. ↩
-
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. ↩
-
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. ↩
-
Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020. ↩
-
Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020. ↩