Resource Development
The adversary is trying to establish resources they can use to support operations.
Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access or stealing code signing certificates to help with Defense Evasion.
Resources can be split into distinguishable categories.
Infrastructure: Physical or Virtualized servers that are stood up to enable an attacker to perform activities. Infrastructure can include infrastructure on cloud service providers, previously compromised infrastructure leveraged for further attacks and specifically created or leased infrastructure.
Web Services: Services that are offered via third parties. Often these services include cloud storage hosting, remote access subscriptions, and social media platforms.
Capabilities: Resources that are used during an attack such as tools, malware, digital certificates, exploits, etc. These capabilities can be obtained from existing sources or developed for more targeted approaches. Staging of resources is also an important consideration for the deployment of malware and other resources that are required to be transferred to targeted hosts.
| Detection | Mitigation |
|---|---|
Threat Hunting | Resource Development techniques are difficult to efficiently track and defend against. However threat hunting tasks such as new domain registration and scans on threat related infrastructure such as Cobalt Strike servers through tools like Shodan can provide early warning detections for potential attack vectors. |
Techniques
T1608 - Stage CapabilitiesLast updated