T1588.002 · resource-development · 71 actors · 2 correlated reports

Tool

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: PsExec). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions. Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).

Open detection, hunting, mitigation, and evidence workspace

Detection logic

In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

Observed actors

APT38
G0082 GALLIUM
G0093 Kimsuky
G0094 Volt Typhoon
G1017 Patchwork
G0040 APT41
G0096 Dragonfly
G0035 Gorgon Group
G0078 menuPass
G0045 APT32
G0050 MuddyWater
G0069 FIN6
G0037 Gamaredon Group
G0047 Leafminer
G0077 FIN7
G0046 Sandworm Team
G0034 APT39
G0087 TA2541
G1018 Moses Staff
G1009 Carbanak
G0008 POLONIUM
G1005 Aquatic Panda
G0143 Aoqin Dragon
G1007 Ferocious Kitten
G0137 Ke3chang
G0004 APT1
G0006 DarkHydrus
G0079 BlackTech
G0098 Blue Mockingbird
G0108 Turla
G0010 TA505
G0092 BITTER
G1002 DarkVishnya
G0105 FIN5
G0053 APT29
G0016 Cinnamon Tempest
G1021 Chimera
G0114 Cleaver
G0003 Silent Librarian
G0122 BRONZE BUTLER
G0060 TEMP.Veles
G0088 BackdoorDiplomacy
G0135 Star Blizzard
G1033 Ember Bear
G1003 Whitefly
G0107 LuminousMoth
G1014 APT28
G0007 Metador
G1013 APT-C-36
G0099 Lazarus Group
G0032 INC Ransom
G1032 Earth Lusca
G1006 Silence
G0091 Thrip
G0076 LAPSUS$
G1004 Cobalt Group
G0080 CopyKittens
G0052 Wizard Spider
G0102 IndigoZebra
G0136 Inception
G0100 Play
G1040 HEXANE
G1001 WIRTE
G0090 Magic Hound
G0059 Threat Group-3390
G0027 APT33
G0064 FIN10
G0051 FIN8
G0061 FIN13
G1016 APT19
G0073 PittyTiger
G0011

Correlated CTI and IR reports

ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
1200km CTI repository · explicit report mention ATT CK as a Working Tool Theory and Hands On Practical Usage
1200km Medium · authored report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research