DET0853: Detection of Develop Capabilities

DET0853 is a MITRE detection strategy for identifying adversary resource-development activity related to building capabilities such as malware, exploits, o...

EnterpriseDET0853Detection StrategyObject v1.0 Modified May 12, 2026, 16:34 UTC (UTC+00:00)

DET0853 is a MITRE detection strategy for identifying adversary resource-development activity related to building capabilities such as malware, exploits, or self-signed certificates before or during operations. Its business value is strategic: this behavior often occurs before direct intrusion telemetry is available, so organizations should treat it as a threat intelligence, exposure-management, and preparedness problem rather than a traditional endpoint-only detection problem.

Executive priority

Leaders should use this object to ask whether the organization can recognize early warning signs that adversaries are developing capabilities relevant to its technologies, brands, infrastructure, or sector. Because the ATT&CK object provides no specific detection logic or platform scope, priority should be on governance: defining intelligence requirements, validating external monitoring sources, connecting early warnings to vulnerability prioritization and incident readiness, and documenting what evidence would support escalation before an intrusion is confirmed.

Technical view

This detection strategy maps to ATT&CK technique T1587, Develop Capabilities, under resource development on PRE platforms. SOC, threat intelligence, and incident response teams should validate whether they have processes and telemetry to identify indicators that custom tooling, exploits, certificates, or other adversary-built capabilities may be emerging. Since no official detection text is supplied, teams should avoid assuming SIEM coverage exists and instead define environment-specific hypotheses, collection points, enrichment workflows, and escalation criteria tied to relevant technologies and threat intelligence requirements.

Likely telemetry

Threat intelligence reporting related to newly developed malware, exploits, certificates, or tooling
Vulnerability intelligence and exploit-development indicators relevant to the organization’s exposed technologies
Certificate transparency or certificate reputation data where self-signed or suspicious certificates are relevant
External attack surface and brand/infrastructure monitoring outputs
Malware analysis, sandbox, or reverse-engineering findings when samples are available

Detection direction

Confirm whether detection responsibilities sit with threat intelligence, SOC, vulnerability management, or a defined cross-functional workflow; this is unlikely to be solved by endpoint telemetry alone.
Translate the broad T1587 behavior into organization-specific intelligence requirements, such as technologies in use, exposed services, high-value brands, and critical business processes.
Tune triage to distinguish generic public research or benign development activity from indicators plausibly relevant to adversary capability development.
Validate escalation paths from early-warning intelligence to vulnerability prioritization, compensating controls, hunting, and incident response readiness.
Document blind spots caused by lack of external intelligence sources, limited malware-analysis capacity, weak certificate monitoring, or poor linkage between threat intel and operational response.

Mitigation priorities

Start by inventorying critical technologies, exposed services, and business assets that should drive intelligence requirements for capability-development monitoring.
Establish threat intelligence collection and review processes for malware, exploit, tooling, and certificate developments relevant to the organization.
Connect intelligence findings to vulnerability management so emerging exploit-development signals can influence patching, hardening, and compensating-control priorities.
Create SOC and IR playbooks for escalating credible early-warning indicators even when there is no confirmed compromise.
Maintain audit-ready evidence showing how external intelligence, exposure data, and response decisions are reviewed and acted on.

Analyst notes and limits

The source object is a detection strategy with no official description, no official detection text, and no specified platforms or tactics. The only supplied relationship states that it detects T1587, Develop Capabilities, a resource-development technique on PRE platforms. The practical interpretation should therefore remain focused on preparedness, intelligence-driven detection, and operational validation rather than specific technical signatures.

This take is constrained by sparse ATT&CK fields. It does not assert active exploitation, actor attribution, customer exposure, concrete detection coverage, or specific platform telemetry beyond the supplied relationship to T1587. Local technology stack, external exposure, intelligence sources, and SOC/IR workflows are required to make this actionable.

Official MITRE ATT&CK definition

Detection of Develop Capabilities

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1587	Develop Capabilities	This object detects Develop Capabilities.

Relationship explorer

All related ATT&CK context

detects · Technique T1587: Develop Capabilities Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Oct 21, 2025, 15:10 UTC (UTC+00:00)
Modified: May 12, 2026, 16:34 UTC (UTC+00:00)
Raw hash: 1783e3fe0dda4168...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	May 12, 2026, 16:34 UTC (UTC+00:00)	Current bundle	`1783e3fe0dda…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
mitre-attack DET0853
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use