T1588 Obtain Capabilities Mappings

Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.

In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)

In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)



Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
action.hacking.variety.Unknown Unknown related-to T1588 Obtain Capabilities
value_chain.development.variety.Unknown Nothing is known about the need for or type of development investment other than it was present. related-to T1588 Obtain Capabilities
aws_key_management_service AWS Key Management Service technique_scores T1588 Obtain Capabilities
aws_cloudhsm AWS CloudHSM technique_scores T1588 Obtain Capabilities

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1588.003 Code Signing Certificates 4
T1588.004 Digital Certificates 5
T1588.005 Exploits 4
T1588.001 Malware 6
T1588.002 Tool 1
T1588.006 Vulnerabilities 2