Build Capabilities

Table of Contents

Build Capabilities - Pre-ATT&CK

  • Building capabilities consists of developing and/or acquiring the software, data and techniques used at different phases of an operation. This is the process of identifying development requirements and implementing solutions such as malware, delivery mechanisms, obfuscation/cryptographic protections, and call back and O&M functions.

Build and configure delivery systems

  • Build and configure delivery systems - Pre-ATT&CK
    • Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments.

Build or acquire exploits

  • Build or acquire exploits - Pre-ATT&CK
    • An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise.12

C2 protocol development

  • C2 protocol development - Pre-ATT&CK
    • Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media.

Compromise 3rd party or closed-source vulnerability/exploit information


Create custom payloads

  • Create custom payloads - Pre-ATT&CK
    • A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment.

Create infected removable media


Identify resources required to build capabilities


Obtain/re-use payloads

  • Obtain/re-use payloads - Pre-ATT&CK
    • A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available.

Post compromise tool development

  • Post compromise tool development - Pre-ATT&CK
    • After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data.

Remote access tool development

  • Remote access tool development - Pre-ATT&CK
    • A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT.