Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.
In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)
In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Unknown | Unknown | related-to | T1588 | Obtain Capabilities | |
| value_chain.development.variety.Unknown | Nothing is known about the need for or type of development investment other than it was present. | related-to | T1588 | Obtain Capabilities |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_hsm | Cloud Hardware Security Module (HSM) | technique_scores | T1588 | Obtain Capabilities |
Comments
Google Cloud's HSM may protect against adversary's attempts to obtain capabilities by compromising code signing certificates that will be used to run compromised code and other tampered executables. Variations of this technique are difficult to mitigate, so a partial score was granted for this control's medium to high coverage factor.
References
|
| cloud_key_management | Cloud Key Management | technique_scores | T1588 | Obtain Capabilities |
Comments
This control manages symmetric and asymmetric cryptographic keys for cloud services and protects against stealing credentials, certificates, keys from the organization.
References
|
| google_secops | Google Security Operations | technique_scores | T1588 | Obtain Capabilities |
Comments
Google Security Ops is able to trigger alerts based off suspicious system processes, such as binaries in use on Windows machines. For example: PsExec is a free Microsoft tool that can be used to escalate privileges from administrator to SYSTEM with the -s argument, download files over a network share, and remotely create accounts.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/windows/suspicious_psexec_execution.yaral
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| aws_cloudhsm | AWS CloudHSM | technique_scores | T1588 | Obtain Capabilities |
Comments
This service provides protection against sub-techniques involved with stealing credentials, certificates, keys from the organization.
References
|
| aws_key_management_service | AWS Key Management Service | technique_scores | T1588 | Obtain Capabilities |
Comments
Provides protection against sub-techniques involved with stealing credentials, certificates, and keys from the organization. As documented, access can be provisioned and monitored.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1588.007 | Artificial Intelligence | 2 |
| T1588.004 | Digital Certificates | 7 |
| T1588.006 | Vulnerabilities | 2 |
| T1588.001 | Malware | 6 |
| T1588.002 | Tool | 2 |
| T1588.003 | Code Signing Certificates | 7 |
| T1588.005 | Exploits | 4 |