MITRE ATT&CK Technique
Description
Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle. In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab) In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-10-01T01:56:24.776Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may buy and/or steal capabilities that can be '
'used during targeting. Rather than developing their own '
'capabilities in-house, adversaries may purchase, freely '
'download, or steal them. Activities may include the '
'acquisition of malware, software (including licenses), '
'exploits, certificates, and information relating to '
'vulnerabilities. Adversaries may obtain capabilities to '
'support their operations throughout numerous phases of the '
'adversary lifecycle.\n'
'\n'
'In addition to downloading free malware, software, and '
'exploits from the internet, adversaries may purchase these '
'capabilities from third-party entities. Third-party entities '
'can include technology companies that specialize in malware '
'and exploits, criminal marketplaces, or from '
'individuals.(Citation: NationsBuying)(Citation: '
'PegasusCitizenLab)\n'
'\n'
'In addition to purchasing capabilities, adversaries may steal '
'capabilities from third-party entities (including other '
'adversaries). This can include stealing software licenses, '
'malware, SSL/TLS and code-signing certificates, or raiding '
'closed databases of vulnerabilities or exploits.(Citation: '
'DiginotarCompromise)',
'external_references': [{'external_id': 'T1588',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1588'},
{'description': 'Bill Marczak and John Scott-Railton. '
'(2016, August 24). The Million '
'Dollar Dissident: NSO Group’s iPhone '
'Zero-Days used against a UAE Human '
'Rights Defender. Retrieved December '
'12, 2016.',
'source_name': 'PegasusCitizenLab',
'url': 'https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/'},
{'description': 'FireEye. (2014). SUPPLY CHAIN '
'ANALYSIS: From Quartermaster to '
'SunshopFireEye. Retrieved March 6, '
'2017.',
'source_name': 'FireEyeSupplyChain',
'url': 'https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop'},
{'description': 'Fisher, D. (2012, October 31). Final '
'Report on DigiNotar Hack Shows Total '
'Compromise of CA Servers. Retrieved '
'March 6, 2017.',
'source_name': 'DiginotarCompromise',
'url': 'https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/'},
{'description': 'Insikt Group. (2019, June 18). A '
'Multi-Method Approach to Identifying '
'Rogue Cobalt Strike Servers. '
'Retrieved September 16, 2024.',
'source_name': 'Recorded Future Beacon Certificates',
'url': 'https://www.recordedfuture.com/research/cobalt-strike-servers'},
{'description': 'Kovar, R. (2017, December 11). Tall '
'Tales of Hunting with TLS/SSL '
'Certificates. Retrieved October 16, '
'2020.',
'source_name': 'Splunk Kovar Certificates 2017',
'url': 'https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html'},
{'description': 'Maynier, E. (2020, December 20). '
'Analyzing Cobalt Strike for Fun and '
'Profit. Retrieved October 12, 2021.',
'source_name': 'Analyzing CS Dec 2020',
'url': 'https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/'},
{'description': 'Nicole Perlroth and David E. Sanger. '
'(2013, July 12). Nations Buying as '
'Hackers Sell Flaws in Computer Code. '
'Retrieved March 9, 2017.',
'source_name': 'NationsBuying',
'url': 'https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html'}],
'id': 'attack-pattern--ce0687a0-e692-4b77-964a-0784a8e54ff1',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:24.545Z',
'name': 'Obtain Capabilities',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.1'}