Live Active security incident? Get immediate response
MITRE ATT&CK® Tactic

TA0042: Resource Development

The adversary is trying to establish resources they can use to support operations.

Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.

EnterpriseTA0042TacticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Resource Development is the preparation work adversaries do before visible intrusion activity: acquiring or compromising infrastructure, accounts, domains, certificates, or capabilities that later support phishing, command and control, or defense evasion. For leaders, the key value is recognizing that some risk indicators appear before an incident reaches endpoints or cloud workloads, but ATT&CK provides no specific detection guidance for this tactic alone.

Executive priority

Treat this as an early-warning and readiness topic, not a single control gap. Security leaders should ask whether threat intelligence, identity monitoring, domain/email protections, certificate governance, and incident response playbooks can connect suspicious external resources to later intrusion activity. Budget and audit discussions should focus on whether the organization can preserve and correlate evidence across email, identity, infrastructure, and external threat intelligence sources before an attack becomes operationally disruptive.

Technical view

Because this is a tactic-level object with no platforms, techniques, relationships, or official detection text supplied, SOC and IR teams should validate coverage around the resource types named in the ATT&CK description: infrastructure, accounts, and capabilities. Detection engineering should avoid treating Resource Development as directly observable in one log source; instead, use it as context for enrichment and correlation with later behaviors such as phishing, command and control, or defense evasion when those are observed in the local environment.

Likely telemetry

  • Threat intelligence and external exposure intelligence about domains, infrastructure, accounts, or certificates relevant to the organization
  • Email security telemetry for suspicious sender infrastructure and account use
  • Identity and access logs for account creation, compromise indicators, and anomalous authentication patterns
  • DNS, proxy, and network telemetry that can show contact with newly observed or suspicious infrastructure
  • Certificate inventory and code-signing governance records where applicable

Detection direction

  • Validate whether resource-related indicators can be correlated across email, identity, DNS/proxy, network, and threat intelligence sources rather than reviewed in isolation.
  • Tune detections to reduce false positives from legitimate new domains, business partners, cloud services, and normal account provisioning.
  • Use Resource Development as contextual enrichment for investigations; the supplied ATT&CK object does not provide standalone detection logic.
  • Check blind spots in external visibility, such as lack of domain monitoring, limited certificate inventory, or insufficient retention of email and identity telemetry.
  • Ensure SOC workflows can preserve weak early signals and connect them to later tactics if an incident develops.

Mitigation priorities

  • Prioritize governance over resources that can be abused for trust: accounts, domains, certificates, and externally facing infrastructure.
  • Strengthen identity lifecycle controls, account monitoring, and access review processes to reduce the value of stolen or misused accounts.
  • Maintain certificate and code-signing inventory where relevant, including ownership, issuance, and revocation processes.
  • Use threat intelligence and external exposure monitoring to inform triage, but require local evidence before escalating to incident conclusions.
  • Document how resource-development indicators support compliance evidence, incident response timelines, and executive reporting.
Analyst notes and limits

This object is a tactic, not a technique, and no relationship context was supplied. The strongest use is as a planning and correlation lens: it helps teams ask whether they can see adversary preparation resources early enough to improve triage and response.

Official detection is not provided, platforms are not specified, and no related techniques or groups were supplied. Any concrete detection, vendor control, or exposure assessment requires local environment telemetry and additional ATT&CK relationship context.

Official MITRE ATT&CK definition

Resource Development

The adversary is trying to establish resources they can use to support operations.

Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising/stealing resources that can be used to support targeting. Such resources include infrastructure, accounts, or capabilities. These resources can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using purchased domains to support Command and Control, email accounts for phishing as a part of Initial Access, or stealing code signing certificates to help with Defense Evasion.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e0a69610f516e04d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e0a69610f516…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack TA0042
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use