Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1588: Obtain Capabilities

Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.

In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.[1][2]

In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.[3]

EnterpriseT1588TechniqueObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Obtain Capabilities is pre-attack preparation: adversaries acquire malware, tools, certificates, exploits, vulnerability information, or AI capabilities instead of building everything themselves. For leaders, the practical issue is that a future incident may be enabled before the first visible intrusion attempt, especially when trusted software, certificates, or newly disclosed vulnerabilities reduce the defender’s warning time.

Executive priority

Treat this as a readiness and prioritization problem, not a single alerting problem. Executives should ask whether vulnerability management, certificate governance, threat intelligence, and pre-compromise monitoring can identify when acquired capabilities could make the organization easier to target. This technique supports business decisions around patch urgency, software trust, supplier and certificate risk, and incident response preparation.

Technical view

This is an ATT&CK PRE-platform, Resource Development technique with no official ATT&CK detection text supplied. SOC and detection teams should validate coverage across the related subtechnique areas: acquired malware, dual-use tools, code-signing certificates, SSL/TLS certificates, exploits, vulnerability information, and AI-enabled preparation. The relationship to DET0850 indicates a detection strategy exists, but local teams still need to map it to their telemetry and use cases. The M1056 Pre-compromise mitigation relationship points toward reducing attack surface and identifying adversarial preparation activity before intrusion.

Likely telemetry

  • Threat intelligence reporting on malware, tools, exploit availability, certificate abuse, and vulnerability interest
  • Vulnerability management data, exposure inventories, and patch status
  • Certificate inventory, code-signing certificate records, and SSL/TLS certificate monitoring
  • Network security telemetry that can surface suspicious infrastructure or certificate patterns
  • Endpoint and software inventory data for unexpected tools or signed binaries

Detection direction

  • Do not rely on a single direct detection; this behavior often occurs before victim-environment telemetry exists.
  • Validate whether threat intelligence is operationalized into watchlists, vulnerability prioritization, certificate monitoring, and SOC hunt hypotheses.
  • Tune detections around suspicious or unexpected use of signed code, unusual TLS/SSL certificate characteristics, known malicious or dual-use tools, and exploit-related exposure where supported by local telemetry.
  • Separate legitimate security research, administrator tooling, and normal certificate issuance from adversary preparation indicators to reduce false positives.
  • Use the related subtechniques to structure coverage reviews: malware, tools, code-signing certificates, digital certificates, exploits, vulnerabilities, and artificial intelligence.

Mitigation priorities

  • Prioritize M1056-style pre-compromise controls: reduce exposed attack surface and improve visibility into adversarial preparation.
  • Maintain current asset, software, vulnerability, and certificate inventories so newly relevant acquired capabilities can be assessed quickly.
  • Tie vulnerability prioritization to exploit availability and exposure, not only severity scores.
  • Govern code-signing and TLS certificate issuance, storage, renewal, and revocation processes.
  • Prepare IR playbooks to investigate when trusted certificates, legitimate tools, or public exploits appear in malicious activity.
Analyst notes and limits

This technique is broad and decision-oriented. Its value is in forcing a coverage review across threat intelligence, vulnerability management, certificate governance, SOC detection engineering, and incident response readiness. The related subtechniques provide the practical decomposition for control testing.

The official ATT&CK object provides no detection text and only the PRE platform. Any claims about active exploitation, specific adversaries, affected products, or detection coverage require local evidence or additional intelligence not supplied here.

Official MITRE ATT&CK definition

Obtain Capabilities

Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.

In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.[1][2]

In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.[3]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

7 rows
Domain ID Name Relationship / procedure
Enterprise T1588.006 Vulnerabilities Sub-technique Vulnerabilities subtechnique of this object.
Enterprise T1588.005 Exploits Sub-technique Exploits subtechnique of this object.
Enterprise T1588.007 Artificial Intelligence Sub-technique Artificial Intelligence subtechnique of this object.
Enterprise T1588.004 Digital Certificates Sub-technique Digital Certificates subtechnique of this object.
Enterprise T1588.002 Tool Sub-technique Tool subtechnique of this object.
Enterprise T1588.003 Code Signing Certificates Sub-technique Code Signing Certificates subtechnique of this object.
Enterprise T1588.001 Malware Sub-technique Malware subtechnique of this object.
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1588.006: Vulnerabilities Enterprise subtechnique of · Technique T1588.005: Exploits Enterprise subtechnique of · Technique T1588.007: Artificial Intelligence Enterprise subtechnique of · Technique T1588.004: Digital Certificates Enterprise subtechnique of · Technique T1588.002: Tool Enterprise subtechnique of · Technique T1588.003: Code Signing Certificates Enterprise mitigates · Mitigation M1056: Pre-compromise Enterprise subtechnique of · Technique T1588.001: Malware Enterprise detects · Detection Strategy DET0850: Detection of Obtain Capabilities Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1056: Pre-compromise

Pre-compromise mitigations involve proactive measures and defenses implemented to prevent adversaries from successfully identifying and exploiting weaknesses during the Reconnaissance and Resource Development phases of an attack. These activities focus on reducing an organization's attack surface, identify adversarial preparation efforts, and increase the difficulty for attackers to conduct successful operations. This mitigation can be implemented through the following measures:

Limit Information Exposure:

- Regularly audit and sanitize publicly available data, including job posts, websites, and social media. - Use tools like OSINT monitoring platforms (e.g., SpiderFoot, Recon-ng) to identify leaked information.

Protect Domain and DNS Infrastructure:

- Enable DNSSEC and use WHOIS privacy protection. - Monitor for domain hijacking or lookalike domains using services like RiskIQ or DomainTools.

External Monitoring:

- Use tools like Shodan, Censys to monitor your external attack surface. - Deploy external vulnerability scanners to proactively address weaknesses.

Threat Intelligence:

- Leverage platforms like MISP, Recorded Future, or Anomali to track adversarial infrastructure, tools, and activity.

Content and Email Protections:

- Use email security solutions like Proofpoint, Microsoft Defender for Office 365, or Mimecast. - Enforce SPF/DKIM/DMARC policies to protect against email spoofing.

Training and Awareness:

- Educate employees on identifying phishing attempts, securing their social media, and avoiding information leaks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
f89dbfee2b82b19e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle f89dbfee2b82…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    NationsBuying

    Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.

    Open source URL
  2. [2]
    PegasusCitizenLab

    Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.

    Open source URL
  3. [3]
    DiginotarCompromise

    Fisher, D. (2012, October 31). Final Report on DigiNotar Hack Shows Total Compromise of CA Servers. Retrieved March 6, 2017.

    Open source URL
  4. [4]
    Analyzing CS Dec 2020

    Maynier, E. (2020, December 20). Analyzing Cobalt Strike for Fun and Profit. Retrieved October 12, 2021.

    Open source URL
  5. [5]
    FireEyeSupplyChain

    FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017.

    Open source URL
  6. [6]
    Recorded Future Beacon Certificates

    Insikt Group. (2019, June 18). A Multi-Method Approach to Identifying Rogue Cobalt Strike Servers. Retrieved September 16, 2024.

    Open source URL
  7. [7]
    Splunk Kovar Certificates 2017

    Kovar, R. (2017, December 11). Tall Tales of Hunting with TLS/SSL Certificates. Retrieved October 16, 2020.

    Open source URL
  8. [8]
    mitre-attack T1588
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use