T1587: Develop Capabilities
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.[1][2][3][4]
As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.
Analyst context for executives and security teams
Develop Capabilities is pre-compromise adversary preparation: building in-house or contractor-shaped tools such as malware, exploits, and self-signed certificates before an operation. Its business significance is that risk may be forming before an intrusion is visible in normal endpoint or identity logs, so leaders should treat this as an intelligence, exposure-management, and readiness problem rather than only a SOC alerting problem.
Executive priority
Prioritize this technique where the organization depends on hard-to-patch systems, trusted software distribution, certificate trust, or high-value intellectual property. The key leadership question is whether security programs can recognize adversary preparation signals early enough to influence vulnerability prioritization, brand/domain/certificate monitoring, incident readiness, and pre-compromise controls. Because ATT&CK provides no native detection text for this parent technique, executives should ask for evidence of collection and analysis coverage rather than assume standard monitoring will detect it.
Technical view
For SOC, threat intelligence, and IR teams, validate coverage around the four related sub-technique areas: malware development, code signing certificates, digital certificates, and exploit development. Since the platform is PRE and the tactic is Resource Development, much of the useful signal may come from external intelligence, certificate transparency/TLS observations, malware analysis, vulnerability intelligence, and infrastructure or artifact tracking rather than host telemetry alone. The related DET0853 detection strategy indicates this object has detection guidance in ATT&CK context, but the supplied object does not include its details, so local teams should map their own analytic logic to the sub-techniques and available evidence.
Likely telemetry
- Threat intelligence reporting on newly developed malware, toolsets, exploits, or adversary-built capabilities
- Malware analysis and sandbox outputs for novel payloads, droppers, backdoors, packers, or C2 protocols
- Certificate transparency, TLS/SSL certificate metadata, and observations of self-signed or suspicious certificates
- Code-signing certificate metadata associated with executables and scripts
- Vulnerability intelligence and exploit-development indicators relevant to exposed technologies
Detection direction
- Do not rely on endpoint or network detections alone; this is a PRE-stage behavior and may occur outside the defended environment.
- Validate whether certificate, code-signing, malware-analysis, exploit-intelligence, and external threat-intelligence sources are actually collected, searchable, and reviewed.
- Tune detections and hunting around the related sub-techniques instead of treating the parent technique as one generic behavior.
- Account for false positives: legitimate development, self-signed certificates, internal testing, and contractor activity can resemble parts of this behavior without adversary intent.
- Use group relationships only as contextual intelligence leads; the supplied data links Kimsuky, Moonstone Sleet, and Contagious Interview to this technique but does not establish current targeting or exposure for any specific organization.
Mitigation priorities
- Apply pre-compromise mitigation priorities from M1056: reduce exposed weaknesses, limit information useful to adversary preparation, and increase the difficulty of successful operations during Reconnaissance and Resource Development phases.
- Tie vulnerability management to exploit-development risk, especially where external exposure or high operational dependency exists.
- Strengthen governance for trusted code and certificates, including review of self-signed certificates and code-signing trust decisions.
- Use threat intelligence to drive proactive hunts, attack-surface review, and incident playbook updates before confirmed compromise.
- Document collection, monitoring, and review processes as compliance and readiness evidence, particularly where prevention cannot be directly proven.
Analyst notes and limits
This technique is most useful as a planning and coverage-mapping object. Its value comes from forcing teams to ask whether they can see preparation signals around malware, exploits, and certificates before those capabilities are deployed. The cited public reporting and related groups support that adversaries may build bespoke capabilities, but local relevance depends on the organization’s technologies, exposure, intelligence sources, and operating model.
Official ATT&CK detection text is not provided for this object, and the supplied relationship to DET0853 does not include detection details. The object is scoped to PRE-stage Resource Development, so many signals may be external, indirect, or intelligence-derived. No claim can be made from the supplied data that a specific organization is targeted, that exploitation is active, or that any control guarantees detection.
Develop Capabilities
Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.[1][2][3][4]
As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1587.002 | Code Signing Certificates Sub-technique | Code Signing Certificates subtechnique of this object. |
| Enterprise | T1587.003 | Digital Certificates Sub-technique | Digital Certificates subtechnique of this object. |
| Enterprise | T1587.004 | Exploits Sub-technique | Exploits subtechnique of this object. |
| Enterprise | T1587.001 | Malware Sub-technique | Malware subtechnique of this object. |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
G1052: Contagious Interview
Contagious Interview is a North Korea–aligned threat group active since 2023. The group conducts both cyberespionage and financially motivated operations, including the theft of cryptocurrency and user credentials. Contagious Interview targets Windows, Linux, and macOS systems, with a particular focus on individuals engaged in software development and cryptocurrency-related activities. [1][2][3][4][5][6][7][8]
G1036: Moonstone Sleet
Moonstone Sleet is a North Korean-linked threat actor executing both financially motivated attacks and espionage operations. The group previously overlapped significantly with another North Korean-linked entity, Lazarus Group, but has differentiated its tradecraft since 2023. Moonstone Sleet is notable for creating fake companies and personas to interact with victim entities, as well as developing unique malware such as a variant delivered via a fully functioning game.[1]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 02c7068c5eba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT1
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
Open source URL -
[2]
Kaspersky Sofacy
Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
Open source URL -
[3]
Bitdefender StrongPity June 2020
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
Open source URL -
[4]
Talos Promethium June 2020
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
Open source URL -
[5]
Splunk Kovar Certificates 2017
Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.
Open source URL -
[6]
mitre-attack T1587Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.