Resource Development

The adversary is trying to establish resources they can use to support operations.

Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.

Techniques

Techniques: 3
ID Name Description
VT0023 Compromise Infrastructure Before compromising a victim, adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.
.001 DNS Server Before compromising a victim, adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: Application Layer Protocol). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.
.002 Domains Before compromising a victim, adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant. An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.
VT0007 Develop Capabilities Before compromising a victim, adversaries may build in-house capabilities that can be used during targeting. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.
.001 Code Signing Certificates Before compromising a victim, adversaries may create a CA-signed or a self-signed code signing certificate to be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been modifies after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program on first run on Windows and macOS/OS X operating systems.
.002 Digital Certificates Before compromising a victim, adversaries may create self-signed or CA-signed SSL/TLS X.509 certificates that can be used during targeting. SSL/TLS X.509 certificates are digital files that are used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An SSL/TLS certificate is one of the most popular types of X.509 certificates or a type of public-key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organization, or individual and is functions as machine identities for authentication and data encryption.
.003 Malware Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
VT0009 Obtain Capabilities Before compromising a victim, adversaries may buy or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
.001 Code Signing Certificates Before compromising a victim, adversaries may buy or steal code signing certificates that can be used during targeting. Code Signing is simply a guarantee that the code of a program or software download has not been corrupted and tampered with after it was signed by the publisher. Code Signing uses the same public key infrastructure (PKI) used in HTTPS to sign and verify a software program.
.002 Digital Certificates Before compromising a victim, adversaries may buy or steal SSL/TLS X.509 certificates that can be used during targeting. SSL/TLS X.509 certificates are digital files that are used for Secure Sockets Layer (SSL) or Transport Layer Security (TLS). An SSL/TLS certificate is one of the most popular types of X.509 certificates or a type of public-key certificate which uses the X.509 standard. X.509 certificates contain a public key and the identity of a hostname, organization, or individual and is functions as machine identities for authentication and data encryption.

Attachments

ID
VTA0013
MITRE ID

Created: 26 November 2020

Last Modified: 26 November 2020