Before striking, attackers prepare. Under TA0042 – Resource Development, adversaries build, buy, or steal the tools and infrastructure needed for later stages — like domains, servers, and credentials. Think of it as their “setup phase” before execution.

⚙️ Types (Sub-Techniques)

1. Acquire Infrastructure (T1583)Attackers buy or rent domains, servers, or VPS to host phishing pages or C2.Example: Registering fake domains like “micr0soft-secure[.]com”.

2. Compromise Infrastructure (T1584)Instead of buying, they hijack existing systems to use as relay points. Example: Using compromised WordPress sites to host malware.

3. Establish Accounts (T1585)Creating fake social media, email, or developer accounts to blend in. Example: Fake LinkedIn profiles of “recruiters” used for spear phishing.

4. Obtain Capabilities (T1587)Getting malware, exploits, or tools from underground markets. Example: Buying a ready-made Remote Access Trojan (RAT).

5. Develop Capabilities (T1587.001)Writing or customizing malware in-house to avoid detection. Example: Crafting a new PowerShell loader variant.

6. Stage Capabilities (T1608)Uploading payloads or staging data on public or compromised servers. Example: Hosting malicious DLLs on GitHub or Pastebin.
   

🔍 Examples

• APT29 (Cozy Bear) registered domains mimicking government agencies before spear-phishing campaigns.

• FIN7 developed custom malware and used compromised servers for command and control.

• Lazarus Group created fake companies and developer profiles to gain trust and distribute malicious apps.
  

🛡️ Recommendations & Best Practices

✅ Domain Monitoring: Track new domains similar to your brand to detect typo-squatting. ✅ Threat Intelligence Feeds: Use intel to identify attacker-owned infrastructure early. ✅ Email Security: Block disposable and suspicious domain-based accounts. ✅ Employee Awareness: Educate staff about fake recruiter and vendor profiles. ✅ Code & Repository Scans: Check for data leaks or malicious uploads tied to your org.

💡 Key Takeaway: Attackers don’t just appear — they build an ecosystem first. Detecting and disrupting their resources early can break the attack chain before it begins.