MITRE ATT&CK Technique
Resource Development T1588.002
Description

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025) Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)

Supported Platforms
PRE
Created

April 29, 2026

Last Updated

April 29, 2026

STIX Data 
{'created': '2020-10-01T02:08:33.977Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': 'Adversaries may buy, steal, or download software tools that '
                'can be used during targeting. Tools can be open or closed '
                'source, free or commercial. A tool can be used for malicious '
                'purposes by an adversary, but (unlike malware) were not '
                'intended to be used for those purposes (ex: '
                '[PsExec](https://attack.mitre.org/software/S0029)). \n'
                '\n'
                'Adversaries may obtain tools to support their operations, '
                'including to support execution of post-compromise behaviors. '
                'Tools may also be leveraged for testing – for example, '
                'evaluating malware against commercial antivirus or endpoint '
                'detection and response (EDR) applications.(Citation: '
                'Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier '
                'Target 2025)\n'
                '\n'
                'Tool acquisition may involve the procurement of commercial '
                'software licenses, including for red teaming tools such as '
                'Cobalt Strike. In addition to freely downloading or '
                'purchasing software, adversaries may steal software and/or '
                'software licenses from third-party entities (including other '
                'adversaries). Threat actors may also crack trial versions of '
                'software.(Citation: Recorded Future Beacon 2019)',
 'external_references': [{'external_id': 'T1588.002',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/techniques/T1588/002'},
                         {'description': ' Tom Hegel, Aleksandar Milenkoski & '
                                         'Jim Walter. (2025, April 28). Top '
                                         'Tier Target | What It Takes to '
                                         'Defend a Cybersecurity Company from '
                                         'Today’s Adversaries. Retrieved May '
                                         '22, 2025.',
                          'source_name': 'Sentinel Labs Top Tier Target 2025',
                          'url': 'https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/'},
                         {'description': 'Maynier, E. (2020, December 20). '
                                         'Analyzing Cobalt Strike for Fun and '
                                         'Profit. Retrieved October 12, 2021.',
                          'source_name': 'Analyzing CS Dec 2020',
                          'url': 'https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/'},
                         {'description': 'Recorded Future. (2019, June 20). '
                                         'Out of the Blue: How Recorded Future '
                                         'Identified Rogue Cobalt Strike '
                                         'Servers. Retrieved September 16, '
                                         '2024.',
                          'source_name': 'Recorded Future Beacon 2019',
                          'url': 'https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers'},
                         {'description': 'Vedere Labs. (2022, March 11). '
                                         'Analysis of Conti Leaks. Retrieved '
                                         'May 22, 2025.',
                          'source_name': 'Forescout Conti Leaks 2022',
                          'url': 'https://www.forescout.com/resources/analysis-of-conti-leaks/'}],
 'id': 'attack-pattern--a2fdce72-04b2-409a-ac10-cc1695f4fce0',
 'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
                        'phase_name': 'resource-development'}],
 'modified': '2025-10-24T17:49:10.900Z',
 'name': 'Tool',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'attack-pattern',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['SOCCRATES', 'Mnemonic AS', 'Menachem Goldstein'],
 'x_mitre_deprecated': False,
 'x_mitre_detection': '',
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_is_subtechnique': True,
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_platforms': ['PRE'],
 'x_mitre_version': '1.2'}
Quick Actions
Edit TTP Update from Web
Related Threat Actors (71)
Ferocious Kitten
High
LuminousMoth
High
Medusa Group
High
Wizard Spider
High
FIN7
High
View All 71 Actors
Back to TTPs
Dashboard About