- Home
- Techniques
- Enterprise
- Obtain Capabilities
- Malware
Obtain Capabilities: Malware
Other sub-techniques of Obtain Capabilities (6)
ID | Name |
---|---|
T1588.001 | Malware |
T1588.002 | Tool |
T1588.003 | Code Signing Certificates |
T1588.004 | Digital Certificates |
T1588.005 | Exploits |
T1588.006 | Vulnerabilities |
Before compromising a victim, adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
Procedure Examples
Name | Description |
---|---|
APT1 |
APT1 used publicly available malware for privilege escalation.[1] |
Turla |
Turla has used malware obtained after compromising other threat actors, such as OilRig.[2][3] |
Mitigations
Mitigation | Description |
---|---|
Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.