2. Resource Development
Resource Development (TA0042)
Resource Development consists of techniques that involve adversaries creating, purchasing, or compromising resources that can be used to support targeting. This includes infrastructure (domains, servers), accounts (email, social media), and capabilities (malware signing certificates, exploits).
Techniques Overview
- Establish Accounts: Creating email or social media accounts for persona development.
- Acquire Infrastructure: Buying domains, VPS components, or serverless functions.
- Compromise Infrastructure: Hijacking legitimate sites (WordPress) for command and control.
- Develop Capabilities: Writing malware, creating exploits, or modifying open-source tools.
Strategy
This phase is where the "Red Team" sets up the stage. Good resource development focuses on resilience and reputation.
- Resilience: If one C2 server is blocked, the operation should continue via a redirector or fallback channel.
- Reputation: Newly registered domains are suspicious. Assets should be aged or categorized (e.g., Health, Finance) before use.
Section Contents
-
Compromise Accounts
Compromising existing accounts (email, cloud, social) to support operations.
-
Compromise Infrastructure
Using compromised servers as operational nodes. Obfuscated webshells, SOCKS proxying, and pivoting into internal networks.
-
Develop Capabilities
From script kiddie to malware dev. Building custom C# loaders, bypassing AMSI, and implementing PPID Spoofing.
-
Establish Accounts
Creating and aging realistic personas and accounts for social engineering and infrastructure management.
-
Infrastructure Setup
Automation is key. Using Terraform and Ansible to deploy resilient, disposable Red Team infrastructure.
-
Obtain Capabilities
Acquiring third-party tools, exploits, and certificates rather than developing them in-house.
-
Stage Capabilities
Preparing the infrastructure to deliver the payload.
