Create custom payloads

A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. [1]

ID: T1345
Sub-techniques:  No sub-techniques
Tactic: Build Capabilities
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018

Procedure Examples

Name Description

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[2]


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: It is likely that an adversary will create and develop payloads on inaccessible or unknown networks for OPSEC reasons.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): No

Explanation: Specialized tools exist for research, development, and testing of virus/malware payloads.


  1. Mandiant. (n.d.). APT1: Exposing One of China’s Cyber Espionage Units. Retrieved March 5, 2017.