T1587.004: Exploits
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.[1] Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.[2]
As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.
Adversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Stealth, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).
Analyst context for executives and security teams
T1587.004 covers adversaries developing their own exploits before an operation. The business issue is not just malware development; it is the possibility that an attacker is investing in a vulnerability-specific capability before defenders see activity in the environment. That makes exposure management, patch prioritization, external attack-surface reduction, and pre-compromise intelligence important parts of resilience planning.
Executive priority
Treat this as a planning signal for high-consequence assets, public-facing systems, remote services, client-side software, edge devices, virtualization platforms, and environments where cyber disruption could affect operations. Leaders should ask whether vulnerability management can prioritize likely exploitability and business criticality, whether SOC and IR teams can recognize exploitation attempts after the capability is used, and whether there is evidence for audit and risk decisions showing reduced exposure before an incident occurs.
Technical view
This is a PRE-platform, Resource Development sub-technique under Develop Capabilities. MITRE does not provide object-specific detection text, so defenders should validate coverage around the later ATT&CK behaviors where developed exploits may be used, including exploitation of public-facing applications, client execution, privilege escalation, stealth, credential access, remote services, and application or system exploitation. The DET0894 relationship indicates a detection strategy exists for this object, but the supplied fields do not describe its logic. Use the relationship context to drive validation rather than assuming coverage.
Likely telemetry
- Vulnerability inventory and asset criticality data for internet-facing, remote-service, client, application, and system components
- Patch management records, patch latency metrics, and exposure windows for high-risk vulnerabilities
- External attack-surface management findings and public-facing application/service inventories
- Exploit and vulnerability intelligence, including references to vulnerabilities that may inform adversary development
- Application, web, endpoint, identity, and remote-service logs that would show exploitation attempts after an exploit is operationalized
Detection direction
- Do not rely on direct detection of exploit development; this activity can occur outside the victim environment during Resource Development.
- Map DET0894 and local analytics to observable downstream exploitation behaviors rather than claiming visibility into adversary development work.
- Tune detections around abnormal behavior following vulnerability exposure: unexpected application behavior, suspicious authentication after service exploitation, privilege changes, crashes, or anomalous remote-service activity.
- Use relationship context as prioritization input: the object is associated with a campaign and groups in ATT&CK, including actors described as targeting critical infrastructure, defense, technology, telecommunications, and other sectors; validate relevance against local sector and exposure, not as proof of targeting.
- Account for false positives from legitimate security research, patch testing, vulnerability scanning, fuzzing, and authorized exploit validation.
Mitigation priorities
- Prioritize pre-compromise controls consistent with M1056: reduce attack surface, limit exposed services, and make adversarial preparation harder.
- Sequence vulnerability management by exploitability, exposure, asset criticality, and business impact rather than CVSS alone.
- Maintain timely patching and compensating controls for public-facing applications, remote services, client software, edge devices, and virtualization technologies where applicable.
- Use external attack-surface review and threat intelligence to identify which exposed technologies could attract exploit-development effort.
- Prepare IR playbooks for exploitation-led intrusion paths, including containment, credential review, privilege escalation investigation, and evidence preservation.
Analyst notes and limits
The ATT&CK object emphasizes exploit development as adversary resource development, including use of vulnerability information, fuzzing, patch analysis, in-house skills, or contracted capability. The strongest defensive value is in validating whether the organization can reduce exploitable exposure and detect the later operational use of an exploit.
Official detection text is not provided, and the supplied DET0894 relationship does not include detection details. The object is PRE-platform, so direct victim-side telemetry may be limited or absent until the exploit is used. Local asset inventory, exposure data, vulnerability context, and SOC telemetry are required to determine practical risk and coverage.
Exploits
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.[1] Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.[2]
As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.
Adversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Stealth, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1587 | Develop Capabilities | This object subtechnique of Develop Capabilities. |
Groups, software, and campaigns
G1017: Volt Typhoon
Volt Typhoon is a People's Republic of China (PRC) state-sponsored actor that has been active since at least 2021, primarily targeting critical infrastructure organizations in the US and its territories including Guam. Volt Typhoon's targeting and pattern of behavior have been assessed as pre-positioning to enable lateral movement to operational technology (OT) assets for potential destructive or disruptive attacks. Volt Typhoon has emphasized stealth in operations using web shells, living-off-the-land (LOTL) binaries, hands on keyboard activities, and stolen credentials.[1][2][3][4]. The group has leveraged compromised SOHO routers to proxy command and control traffic and obscure its infrastructure, activity associated with the KV botnet.[5].
Reporting indicates a separate initial access cluster, SYLVANITE, has been observed exploiting internet-facing edge devices and transferring access to Volt Typhoon, also tracked as VOLTZITE, for follow-on operations. [6]
G1048: UNC3886
UNC3886 is a China-nexus cyberespionage group that has been active since at least 2022, targeting defense, technology, and telecommunication organizations located in the United States and the Asia-Pacific-Japan (APJ) regions. UNC3886 has displayed a deep understanding of edge devices and virtualization technologies through the exploitation of zero-day vulnerabilities and the use of novel malware families and utilities.[1][2]
G0065: Leviathan
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.[1] Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.[1][2][3][4]
C0062: Anthropic AI-orchestrated Campaign
The Anthropic AI-orchestrated Campaign was conducted in September 2025 by a likely China nexus espionage actor identified as GTG-1002. The Anthropic AI-orchestrated Campaign was a highly coordinated operation that manipulated Claude Code to perform reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, and exfiltration operations at approximately 30 entities in the technology, financial, chemical, and government sectors. During the Anthropic AI-orchestrated Campaign, human operators used Claude Code agents and Model Context Protocol (MCP) tools to automate cyber operations. Operators broke attacks into discrete tasks, used crafted prompts, and established personas to bypass AI guardrails, enabling the agents to execute the operations with minimal human involvement.[1][2]
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a941fccc1d8b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NYTStuxnet
William J. Broad, John Markoff, and David E. Sanger. (2011, January 15). Israeli Test on Worm Called Crucial in Iran Nuclear Delay. Retrieved March 1, 2017.
Open source URL -
[2]
Irongeek Sims BSides 2017
Stephen Sims. (2017, April 30). Microsoft Patch Analysis for Exploitation. Retrieved October 16, 2020.
Open source URL -
[3]
mitre-attack T1587.004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.