T1588.002: T1588.002

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 01/10/2020 04:08 · Modified 27/03/2026 01:11

Essential information

MITRE technique ID: T1588.002
Confidence: 100/100
Revoked: No
Published: 01/10/2020 04:08
Modified: 27/03/2026 01:11
Author / Source: The MITRE Corporation

Aliases

Tool

Platforms

PRE

Description

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. Tools may also be leveraged for testing – for example, evaluating malware against commercial antivirus or endpoint detection and response (EDR) applications.(Citation: Forescout Conti Leaks 2022)(Citation: Sentinel Labs Top Tier Target 2025) Tool acquisition may involve the procurement of commercial software licenses, including for red teaming tools such as Cobalt Strike. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries). Threat actors may also crack trial versions of software.(Citation: Recorded Future Beacon 2019)

Kill chain phases

Kill chain	Phase
mitre-attack	resource-development

Marking (TLP)

External references

mitre-attack (T1588.002)
Forescout Conti Leaks 2022
Sentinel Labs Top Tier Target 2025
Analyzing CS Dec 2020
Recorded Future Beacon 2019

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (70)

TA2541 uses

The MITRE Corporation Confidence 100

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Trigona uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mirai uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
WIRTE uses

The MITRE Corporation Confidence 100

[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. [WIRTE](https://attack.mitre.org/groups/G0090) has targeted government, diplomatic, financial, military, legal, and technology organizations in the Middle…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Bitter uses T-APT-17

The MITRE Corporation Confidence 100

[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Telekopye uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT33 uses HOLMIUMElfin

The MITRE Corporation Confidence 100

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
LAPSUS$ uses DEV-0537Strawberry Tempest

The MITRE Corporation Confidence 100

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mallox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cobalt Group uses GOLD KINGSWOODCobalt Gang

The MITRE Corporation Confidence 100

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 6

1–12 of 70

Xeno RAT uses

Family
GOSHELL uses

Family
ShadowV2 uses

Family
MuddyViper uses

Family
NetSupport uses

Family
SYS01 uses

Family
Track2NFC uses

Family
AllaKore RAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Mélofée uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
NGate uses

Family
PURESTEALER uses

Family
Neo-reGeorg - S1189 uses

Family

← Previous

Page / 5

1–12 of 57

MuddyWater: Snakes by the riverbank related

7 MITREs 6 Malwares 9 Observables 1 APT
Inside DPRK Operations: New Infrastructure Uncovered Across Global … related

1 CVE 20 MITREs 6 Malwares 20 Observables 1 APT
GachiLoader: Defeating Node.js Malware with API Tracing related

10 MITREs 10 Observables
NuGet malware targets crypto wallets, OAuth tokens related

9 MITREs
Gogs Zero-Day RCE (CVE-2025-8110) Actively Exploited related

6 CVEs 11 MITREs 1 Malware
Sneeit WordPress RCE Exploited in the Wild While … related

4 CVEs 9 MITREs 2 Malwares 6 Observables
Critical React2Shell Vulnerability Under Active Exploitation by Chinese … related

1 CVE 6 MITREs 1 Malware 2 Observables 1 APT
Shai-hulud 2.0 Campaign Targets Cloud and Developer Ecosystems related

20 MITREs 1 Malware 6 Observables 1 APT
Shai-Hulud 2.0: Aggressive & Automated, One Of Fastest … related

17 MITREs 1 Malware 4 Observables
Build script exposes PyPI to domain takeover attacks related

1 CVE 9 MITREs
Remote access, real cargo: cybercriminals targeting trucking and … related

10 MITREs 10 Malwares 39 Observables
Suspected Nation-State Threat Actor Uses New Airstalk Malware … related

13 MITREs 1 Malware 6 Observables 1 APT

← Previous

Page / 5

13–24 of 50

Vulnerabilities (CVE) (81)

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2025-37164 KEV targets

10.0 Critical

Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.

Attack vector: NETWORK
Published: 16/12/2025
Modified: 16/03/2026

Undergoing Analysis

CVE-2021-25003 targets

9.8 Critical

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file …

Attack vector: NETWORK
Published: 14/03/2022
Modified: 21/12/2025

CVE-2024-21893 KEV targets

8.2 High

Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure), Ivanti Policy Secure, and Ivanti Neurons contain a server-side request forgery (SSRF) …

Attack vector: Network
Published: 31/01/2024
Modified: 27/05/2026

CVE-2017-11882 KEV targets

7.8 High

Microsoft Office contains a memory corruption vulnerability that allows remote code execution in the context of the current user.

Attack vector: Local
Complexity: Low
Published: 15/11/2017
Modified: 29/05/2026

CWE-119

CVE-2025-8424 targets

8.7 High

Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway when an attacker can get access to the …

Published: 20/12/2025
Modified: 27/05/2026

Received

CVE-2021-21972 KEV targets

VMware vCenter Server vSphere Client contains a remote code execution vulnerability in a vCenter Server plugin which allows an attacker with network …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2025-8110 KEV targets

8.7 High

Gogs contains a path traversal vulnerability affecting improper Symbolic link handling in the PutContents API that could allow for code execution.

Attack vector: NETWORK
Published: 20/12/2025
Modified: 22/01/2026

Awaiting Analysis

CVE-2013-5948 targets

Published: 20/12/2025
Modified: 21/12/2025

CVE-2024-56731 targets

10.0 Critical

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory …

Published: 24/06/2025
Modified: 24/06/2025

Received

CVE-2019-11580 KEV targets

Atlassian Crowd and Crowd Data Center contain a remote code execution vulnerability resulting from a pdkinstall development plugin being incorrectly enabled in …

Published: 03/11/2021
Modified: 21/12/2025

CVE-2024-54148 targets

9.8 Critical

Gogs is an open source self-hosted Git service. A malicious user is able to commit and edit a crafted symlink file to …

Published: 23/12/2024
Modified: 24/12/2024

Awaiting Analysis

← Previous

Page / 7

25–36 of 81

T1588 subtechnique-of

Obtain Capabilities MITRE

Campaign (10)

Night Dragon uses
C0017 uses
ShadowRay uses
C0015 uses
Operation Spalax uses
C0010 uses
Operation Wocao uses
Cutting Edge uses
Operation CuckooBees uses
Triton Safety Instrumented System Attack uses

Contact About Legal notice Privacy policy Terms of use