Currently viewing ATT&CK v7.2 which was live between July 8, 2020 and October 26, 2020. Learn more about the versioning system or see the live site.
Register to stream the next session of ATT&CKcon Power Hour November 12
TACTICS
PRE-ATT&CK
Enterprise
Mobile
  1. Home
  2. Tactics
  3. PRE-ATT&CK
  4. Build Capabilities

Build Capabilities

Building capabilities consists of developing and/or acquiring the software, data and techniques used at different phases of an operation. This is the process of identifying development requirements and implementing solutions such as malware, delivery mechanisms, obfuscation/cryptographic protections, and call back and O&M functions.

ID: TA0024
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques

Techniques: 11
ID Name Description
T1347 Build and configure delivery systems Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments.
T1349 Build or acquire exploits An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise.
T1352 C2 protocol development Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media.
T1354 Compromise 3rd party or closed-source vulnerability/exploit information There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack.
T1345 Create custom payloads A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment.
T1355 Create infected removable media Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware.
T1350 Discover new exploits and monitor exploit-provider forums An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits.
T1348 Identify resources required to build capabilities As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out.
T1346 Obtain/re-use payloads A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available.
T1353 Post compromise tool development After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data.
T1351 Remote access tool development A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT.