Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to aid in Defense Evasion.
Tactic Overview
Tactic ID: TA0042 — Matrix: Enterprise — Techniques: 8
The Resource Development tactic represents a phase in the adversary lifecycle where the adversary is trying to establish resources they can use to support operations. This tactic is part of the MITRE ATT&CK Enterprise matrix and encompasses 8 known techniques that adversaries employ during this phase of an attack.
Understanding this tactic is critical for defenders to build effective detection strategies and implement appropriate countermeasures. Organizations should map their security controls against each technique to identify coverage gaps and prioritize defensive investments.
Techniques (8)
The following techniques are categorized under the Resource Development tactic in the MITRE ATT&CK Enterprise matrix:
| Technique ID | Name | Description | MITRE Reference |
|---|---|---|---|
T1650 | Acquire Access | Adversaries purchase or otherwise acquire access to existing compromised systems to use in targeting operations. | T1650 |
T1583 | Acquire Infrastructure (8 sub-techniques) | Adversaries acquire infrastructure such as domains, VPS, servers, botnets, and web services to stage operations. | T1583 |
T1586 | Compromise Accounts (3 sub-techniques) | Adversaries compromise existing accounts on social media, email, and cloud services to support operations. | T1586 |
T1584 | Compromise Infrastructure (8 sub-techniques) | Adversaries compromise third-party infrastructure including domains, DNS servers, and web services for use in attacks. | T1584 |
T1587 | Develop Capabilities (4 sub-techniques) | Adversaries build custom malware, exploits, code signing certificates, and digital certificates for use in operations. | T1587 |
T1585 | Establish Accounts (3 sub-techniques) | Adversaries create new accounts on social media, email platforms, and cloud services to facilitate operations. | T1585 |
T1588 | Obtain Capabilities (7 sub-techniques) | Adversaries obtain tools, malware, exploits, and certificates from third parties including dark web markets and open-source repositories. | T1588 |
T1608 | Stage Capabilities (6 sub-techniques) | Adversaries upload malware, tools, certificates, and exploits to infrastructure to make them available during targeting. | T1608 |
Detection & Mitigation
Organizations should implement layered defenses addressing each technique within this tactic. Below are key mitigation strategies recommended by Mjolnir Security analysts.
Key Mitigations
- Monitor for newly registered domains
- Certificate transparency monitoring
- Threat intelligence feeds
- Takedown services for malicious infrastructure
Detection Strategies
Effective detection of Resource Development techniques requires a combination of log analysis, behavioral monitoring, and threat intelligence correlation. Security teams should focus on establishing baselines for normal activity and alerting on deviations that may indicate adversary behavior aligned with this tactic.
- SIEM Integration: Correlate events across multiple data sources to detect technique patterns
- Behavioral Analytics: Deploy UEBA solutions to identify anomalous activity indicative of this tactic
- Threat Hunting: Proactively search for indicators of techniques within this tactic using hypothesis-driven investigations
- Purple Teaming: Regularly test detection coverage by simulating techniques from this tactic
Associated Threat Actors
The following threat actors are known to heavily leverage techniques from the Resource Development tactic:
For comprehensive threat actor profiles, visit the APT Groups Hub.
Resources & References
Defend Against Resource Development Techniques
Mjolnir Security provides expert threat intelligence, purple team exercises, and detection engineering services to help organizations defend against adversary tactics mapped to the MITRE ATT&CK framework.
Stay updated on MITRE ATT&CK developments and threat intelligence insights.
View All Reports →Written by Mjolnir Security Research — Published March 7, 2026