Tool

In the Resource Development phase, adversaries may obtain specific tools to support their attack objectives. This activity entails acquiring, developing, or stealing software, exploits, or hardware that enable various attack capabilities across the kill chain. These tools can range from publicly available open-source utilities and commercial penetration testing frameworks to custom-developed malware, weaponized exploits, or specialized hardware devices. Adversaries often select tools based on their target environment, operational requirements, and desired capabilities, sometimes modifying existing tools to evade security controls or add functionality. Unlike the Development phase which focuses on creating custom tools, this sub-technique emphasizes the acquisition of pre-existing tools that adversaries can deploy with minimal modification, allowing them to rapidly establish capabilities for subsequent attack phases while potentially benefiting from tools that have proven effective in previous campaigns or against similar defensive technologies.