Overview of MITRE ATT&CK Tactic: TA0042 – Resource Development

Introduction

Resource Development is one of the crucial stages in the attack lifecycle where adversaries prepare the resources needed to carry out their attacks. During this stage, attackers create, acquire, purchase, or steal infrastructure, tools, accounts, and other capabilities that are required in the later stages of an attack.

The Resource Development tactic in MITRE ATT&CK helps us understand how adversaries gather and build these resources before launching or continuing malicious activities. The resources gathered during this phase support attackers in activities such as phishing, command-and-control communication, defense evasion, data exfiltration, and many other malicious operations.

Let us now walk through the techniques and sub-techniques to better understand how this tactic is used.

Techniques and Sub-techniques

T1650 - Acquire Access 

Adversaries may acquire or purchase access from Initial Access Brokers, who sell previously compromised systems. This helps attackers save the time and resources needed to break in on their own. The entry points provided by brokered access usually include backdoors (web shells), remote access or planted software, which can deploy additional malware.

T1583 - Acquire Infrastructure

Adversaries buy, obtain, or use the infrastructure needed to generate and manage their attacks. This infrastructure can include cloud servers, physical servers, domains, botnets, and third-party web services. Using such infrastructure helps hide the attacker’s identity and allows for quick setup, modification, or shutdown of their operations.

T1583.001 - Domains
In this technique, attackers acquire or purchase domain names to support their malicious activities. They often choose domains that appear legitimate, making minimal changes such as using homoglyphs or different top-level domains to trick victims. They may also use unique URLs or single-use domain names to make detection more difficult. Additionally, attackers may repurpose expired domains from reputable organizations to bypass security defenses.
T1583.002 - DNS
Here, adversaries use their own DNS servers to generate and manipulate DNS traffic while performing malicious activities. By running their own DNS infrastructure, they can customize DNS responses, manage DNS-based command-and-control channels, and make their operations harder to detect.
T1583.003 - Virtual Private Server
Adversaries rent Virtual Private Servers (VPSs) from cloud providers, in the form of virtual machines or containers. Using VPS infrastructure allows attackers to hide their identity and enables quick setup, modification, or shutdown of their systems. During later stages of an attack, such as Command and Control, VPS usage helps adversaries blend in with legitimate traffic from trusted cloud service providers, making their malicious activity harder to detect.
T1583.004 - Server
Adversaries may buy or rent physical servers to support their malicious activities. These servers can be used to stage, launch, and execute attacks, such as hosting phishing campaigns or facilitating command-and-control operations.
T1583.005 - Botnet
Adversaries may buy or rent botnets, which are networks of compromised systems. Using these botnets, attackers can carry out large-scale activities such as high-volume phishing campaigns, Distributed Denial of Service (DDoS) attacks, and other coordinated malicious operations.
T1583.006 - Web Services
Adversaries may sign up for legitimate online web services and later abuse them for malicious activities such as data exfiltration, phishing, or command-and-control operations.
T1583.007 Serverless
Here, attackers rent or purchase serverless cloud infrastructure such as Google Apps Script, Cloudflare Workers, or AWS Lambda. They use this infrastructure to communicate with compromised systems or to proxy traffic to attacker-controlled servers, making their activity harder to detect.
T1583.008 - Malvertising
Malvertising means abusing online advertising platforms to spread malicious content. By purchasing or placing ads that look legitimate, adversaries trick users into visiting attacker-controlled websites or unknowingly downloading malware. These ads can appear in search results or on popular websites, making them difficult for users to distinguish from legitimate ads.

T1586 - Compromise Accounts

Adversaries compromise existing user accounts instead of creating new ones and use the associated personas to carry out malicious activities. Accounts can be compromised through methods such as credential theft via phishing, brute-force attacks, or purchasing credentials from third-party sources. Compromised accounts often retain trust because they appear legitimate, making them useful for social engineering and other operations.

T1586.001 - Social Media Accounts
Adversaries compromise social media accounts and use the compromised profiles to create or hijack connections to targets. These accounts can then be leveraged to conduct spearphishing attacks.
T1586.002 - Email Accounts
Adversaries compromise email accounts and use them to conduct phishing attacks, spam campaigns, acquire infrastructure, hijack existing email threads, and engage targets. They often target well-known email accounts, as compromising these can increase the impact of their operations.
T1586.003 - Cloud Accounts
Adversaries compromise cloud accounts to carry out operations like data exfiltration, tools, upload, acquire infrastructure, and utilize cloud-based messaging services to send spam or phishing messages.

T1584 - Compromise Infrastructure

Instead of buying or renting infrastructure, adversaries compromise third-party infrastructure such as servers, domains, cloud resources, network devices, or web services and use it to support their malicious activities. Using compromised infrastructure helps adversaries hide their identity, generate and blend malicious traffic with legitimate, trusted traffic, making detection more difficult.

T1584.001 - Domains
Adversaries perform domain and subdomain hijacking of domains that belong to legitimate organizations. Domain hijacking involves changing a domain’s registration or settings without the owner’s permission. This can be achieved by compromising the domain owner’s credentials, exploiting gaps in the domain renewal process, or compromising cloud services used to manage domains.
T1584.002 - DNS Server
Adversaries compromise third-party DNS infrastructure to redirect user traffic to attacker-controlled servers. Use valid digital certificates to make malicious sites appear legitimate, and leverage DNS traffic for command-and-control operations.
T1584.003 - Virtual Private Server
Adversaries may compromise Virtual Private Servers (VPSs) owned by third parties and use them to support their malicious activities, such as hosting malware, command-and-control infrastructure.
T1584.004 - Server
Here, attackers compromise third-party servers or web servers and use them for their attack process.
T1584.005 - Botnet
In this sub-technique, adversaries compromise multiple systems owned by third parties to form a botnet and conduct harmful activities. Adversaries may also take control of existing botnets to leverage them for their operations.
T1584.006 - Web Services
Adversaries may take over third-party web service accounts such as GitHub, Google, Twitter, or Dropbox and use them for malicious activities.
T1584.007 - Serverless
Adversaries may compromise serverless infrastructure, such as Cloudflare Workers, Google Apps Scripts, and AWS Lambda functions and use these environments to respond to infected machines or proxy traffic to attacker-controlled servers.
T1584.008 - Network Devices
Attackers compromise third party network devices such as home or small office routers and use them to support malicious activities. These devices may be used to host malicious files or links, inject content into network traffic, steal stored credentials, or act as proxies to support further attacks.

T1587 - Develop Capabilities

Adversaries build and develop tools, malware, or other capabilities needed for various phases of the adversary’s lifecycle. These capabilities can be developed in-house or contracted out according to the adversary’s requirements.

T1587.001 - Malware
Adversaries develop their own malware and malware components to support their operations. These components may include malicious payloads, droppers, backdoors, C2 protocols, packers, and infected removable media, which help maintain control over compromised systems, evade defenses, and perform post-compromise activities.
T1587.002 - Code Signing Certificates
Adversaries may create self-signed code signing certificates that can be used to sign malicious scripts, software, or programs. Code signing provides a level of authenticity, and even though the certificates are self-created, users and security tools may trust the signed code more than the unsigned code, making it easier for the adversary to execute their operations.
T1587.003 - Digital Certificates
Attackers can make their own SSL/TLS certificates to use in attacks. These certificates can help them encrypt traffic, hide their activities, or even perform man-in-the-middle attacks. Although not officially trusted, they can be installed on servers or systems the attacker controls to carry out malicious actions.
T1587.004 - Exploits
Attackers develop their own exploits by studying vulnerabilities, analyzing patches, and using methods like fuzzing. These exploits abuse flaws in systems or applications to trigger unexpected behavior, allowing attackers to gain access or perform malicious actions during different stages of an attack.

T1585 - Establish Accounts

Attackers create and build accounts over a period that appear legitimate to the outside world. They develop personas by adding details such as names, profile pictures, education, and work history on social media websites, or other public platforms. These accounts may also include email addresses used for phishing campaigns or to abuse free services, such as trial versions, for malicious purposes.

T1585.001 - Social Media Accounts
Adversaries create social media accounts to build a persona that appears legitimate. These personas, which can be fictitious or impersonate real people, may exist on single or multiple platforms and include profile details, connections, and photos. Once established, the accounts can be leveraged for social engineering, phishing, or other operations targeting specific users.
T1585.002 - Email Accounts
Adversaries create email accounts to build personas and support their operations. These accounts may be used for activities such as phishing or information theft and to abuse free or trial-based services. Adversaries may also use disposable email services to make their activities harder to trace back to them.
T1585.003 - Cloud Accounts
Adversaries may create cloud accounts and use cloud services, such as Dropbox, AWS S3, or OneDrive, to exfiltrate data to cloud storage. They can also leverage these accounts to acquire cloud infrastructure, such as virtual private servers (VPS), to support their operations.

T1588 - Obtain Capabilities

In this technique, adversaries acquire capabilities instead of developing them themselves, such as by purchasing, stealing, or freely obtaining them. These capabilities may be sourced from third-party vendors or other external sources and can be used across different phases of the adversary’s lifecycle.

T1588.001 - Malware
Adversaries may purchase or steal malware from third parties that specialize in malware development, or download freely available malware from the internet, for use in their operations.
T1588.002 - Tool
Adversaries may purchase, steal, or download tools to support their malicious activities. These tools can be freely available or commercial software. In some cases, adversaries may legitimately purchase licenses for tools such as Cobalt Strike or steal the licenses from third-party entities to use in their operations.
T1588.003 - Code Signing Certificates
Adversaries may purchase or steal code signing certificates to sign malicious software and scripts. Attackers may obtain these certificates through front organizations, stolen identity information, or by directly stealing code signing materials from compromised third parties, helping their malicious code evade detection.
T1588.004 - Digital Certificates
Adversaries buy or steal SSL/TLS certificates to encrypt their C2 channel or enable man-in-the-middle attack. Certificates may be obtained through front organizations, stolen identity information, compromised third parties (including certificate authorities), or by registering or hijacking domains for which certificates can be issued.
T1588.005 - Exploits
Adversaries may purchase exploit kits from third-party entities that are experts in exploit development or download publicly available exploits from the internet. Adversaries often monitor exploit provider forums and underground communities to track existing and newly discovered exploits. There is typically a time gap between the discovery of an exploit and its public disclosure, which adversaries attempt to exploit. During this window, attackers may target organizations or individuals involved in exploit research to gain early access to exploit information, allowing them to abuse vulnerabilities before patches or public awareness become available.
T1588.006 - Vulnerabilities
Adversaries may gather information about vulnerabilities by exploring publicly available sources, databases or by gaining access to restricted databases. They may also monitor and keep an eye on organizations who conduct vulnerability discovery scans to obtain information before they are publicly disclosed.
T1588.007 - Artificial Intelligence
Attackers use AI to generate tools to support their activities. They can use AI to write phishing content, create or improve malicious code, find weaknesses, and generate fake content like text, images, or videos. This helps them save time, automate tasks, and carry out attacks more effectively.

T1608 - Stage Capabilities

Attackers may set up capabilities by uploading or transferring harmful tools or scripts to compromised systems, servers, cloud environments, or web services. Staging these capabilities enables attackers to efficiently carry out malicious activities such as drive-by compromise, spearphishing, malware delivery, ingress tool transfer, and command-and-control operations.

T1608.001 - Upload Malware
Here, adversaries upload malware to infrastructure they control, which may be either purchased or previously compromised. The uploaded malware can include malicious payloads, tools, backdoors or any other harmful code. Deploying this malware enables adversaries to efficiently execute subsequent stages of the attack lifecycle.
T1608.002 - Upload Tool
Here, adversaries upload tools to compromised platforms to support their activities. These tools can be open source or commercial. While the tools themselves are not malicious, attackers can misuse them for purposes such as ingress tool transfer.
T1608.003 - Install Digital Certificate
Attackers may install SSL/TLS certificates on servers they control to create encrypted connections. This helps them hide command-and-control traffic and make fake websites or emails look trustworthy. They can use either real certificates or self-signed ones on their own or compromised servers.
T1608.004 - Drive-by Target
Adversaries establish or prepare malicious websites and web content that are designed to target users who visit them. This can be achieved by injecting JavaScript, alter scripts, or malicious advertisements to exploit vulnerable browsers without requiring user interaction.
T1608.005 - Link Target
Adversaries prepare malicious links and resources behind them to trick users into clicking. These resources are commonly HTML pages containing customized JavaScript used to steal credentials, exploit browser vulnerabilities, or deliver malware. To look legitimate, attackers may mask the URL, use look-alike domains and use URL shorteners.
T1608.006 - SEO Poisoning
Adversaries manipulate search engine results, so their malicious websites appear more and look legitimate. They use tricks like keyword stuffing, fake popularity, paid links, or ads to attract victims. When users click these search results, they may unknowingly visit malicious sites that deliver malware or compromise their systems.

How F5 can Help?

F5 helps organizations actively scan, block, and prevent malware uploads through web applications. Our products perform real-time, inline scanning of every file uploaded via an application, enabling the detection and prevention of malware or other malicious files. This provides a robust defense against the staging of malicious files and tools, ensuring enhanced security for web applications.

Conclusion

Understanding the Resource Development tactic and the techniques adversaries use enables organizations to implement effective precautionary measures. Strategies such as enabling robust malware protection, monitoring domains and certificates, securing DNS infrastructure, and continuously monitoring applications and assets can help detect and disrupt the setup of malicious resources before an attack is launched. By proactively addressing vulnerabilities and suspicious activity during the Resource Development phase, organizations can significantly enhance their security posture and reduce the likelihood of successful attacks.