T1588.005: Exploits
Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.[1][2][3]
In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.[4][5] In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).[2]
An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.
Adversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Stealth, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).
Analyst context for executives and security teams
This technique matters because it represents adversaries acquiring exploit capability before an intrusion, rather than writing it themselves. For leaders, the practical issue is not proving that a specific attacker bought an exploit; it is whether the organization can quickly connect newly public or commercially available exploit knowledge to its own exposed systems, patch priorities, monitoring, and incident readiness.
Executive priority
Treat this as a pre-compromise risk signal for vulnerability management and resilience planning. Executives should ask whether the organization can identify which internet-facing, client-side, privileged, remote-service, credential-access, stealth, or availability-relevant systems would be affected when exploit information becomes available. Budget and control decisions should prioritize reducing attack surface, speeding vulnerability triage, and maintaining evidence that pre-compromise monitoring and remediation processes are operating.
Technical view
ATT&CK places this sub-technique under Obtain Capabilities in the Resource Development tactic on the PRE platform. Because official detection text is not provided, SOC and IR teams should not expect reliable host or network detection of the acquisition activity itself. Instead, validate surrounding coverage: exploit and vulnerability intelligence intake, mapping of exploit information to asset exposure, alerting for later exploitation behaviors referenced by ATT&CK such as public-facing application exploitation, client execution, privilege escalation, credential access, remote services exploitation, stealth, and application or system exploitation. The related DET0827 detection strategy indicates detection content exists for this object, but the supplied fields do not describe its analytics.
Likely telemetry
- Vulnerability and asset inventory showing affected software, hardware, internet-facing services, and ownership
- Patch and remediation status for vulnerabilities tied to public, purchased, stolen, or otherwise available exploit information
- Threat intelligence reporting on exploit availability, exploit databases, exploit vendors, criminal marketplaces, or exploit-kit references
- External attack surface management or exposure data for public-facing applications and remote services
- Web application, network, endpoint, and authentication logs that would show later exploitation attempts or post-exploitation behavior
Detection direction
- Do not overstate visibility into adversary acquisition; this is pre-compromise behavior and may occur entirely outside the victim environment.
- Validate that exploit intelligence is normalized into vulnerability prioritization and detection engineering workflows, rather than remaining as disconnected threat reporting.
- Tune downstream detections around the exploitation techniques named in the ATT&CK description, especially where local assets are exposed or unpatched.
- Use relationship context carefully: Kimsuky and Ember Bear are listed as using this technique, but that does not by itself establish current targeting or exploitation of a specific organization.
- Review false positives where scanning, security research, red-team activity, or vulnerability testing may resemble exploitation attempts in downstream telemetry.
Mitigation priorities
- Apply the related M1056 Pre-compromise mitigation concept: reduce attack surface before adversaries can use obtained capabilities.
- Prioritize exposed and business-critical assets when exploit information becomes public or otherwise credible.
- Maintain current software, configuration, and vulnerability remediation processes for internet-facing applications, remote services, client software, and privileged systems.
- Limit unnecessary information disclosure that helps adversaries identify exploitable technologies during reconnaissance and resource development.
- Ensure IR playbooks connect exploit intelligence to asset owners, emergency patch decisions, compensating controls, and monitoring changes.
Analyst notes and limits
The most useful defensive value is process validation: can the organization turn knowledge that exploits exist into faster exposure reduction and better monitoring for likely follow-on exploitation. This object is especially relevant to vulnerability management, threat intelligence, managed detection, incident response readiness, and audit evidence showing that pre-compromise risk is tracked and acted on.
The supplied ATT&CK object provides no official detection text and identifies the platform only as PRE. It supports conclusions about adversary resource development and exploit acquisition, not confirmation of exploitation inside any environment. Local asset data, vulnerability status, threat intelligence quality, and telemetry availability are required to determine actual risk and coverage.
Exploits
Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.[1][2][3]
In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.[4][5] In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).[2]
An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.
Adversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Stealth, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1588 | Obtain Capabilities | This object subtechnique of Obtain Capabilities. |
Groups, software, and campaigns
G1003: Ember Bear
Ember Bear is a Russian state-sponsored cyber espionage group that has been active since at least 2020, linked to Russia's General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).[1] Ember Bear has primarily focused operations against Ukrainian government and telecommunication entities, but has also operated against critical infrastructure entities in Europe and the Americas.[2] Ember Bear conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[3][4][1] There is some confusion as to whether Ember Bear overlaps with another Russian-linked entity referred to as Saint Bear. At present available evidence strongly suggests these are distinct activities with different behavioral profiles.[2][5]
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Mitigation direction
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 41b0c198ea4d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Exploit Database
Offensive Security. (n.d.). Exploit Database. Retrieved October 15, 2020.
Open source URL -
[2]
TempertonDarkHotel
Temperton, J. (2015, August 10). Hacking Team zero-day used in new Darkhotel attacks. Retrieved March 9, 2017.
Open source URL -
[3]
NationsBuying
Nicole Perlroth and David E. Sanger. (2013, July 12). Nations Buying as Hackers Sell Flaws in Computer Code. Retrieved March 9, 2017.
Open source URL -
[4]
PegasusCitizenLab
Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.
Open source URL -
[5]
Wired SandCat Oct 2019
Zetter, K. (2019, October 3). Researchers Say They Uncovered Uzbekistan Hacking Operations Due to Spectacularly Bad OPSEC. Retrieved October 15, 2020.
Open source URL -
[6]
mitre-attack T1588.005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.