Post compromise tool development

After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. [1]

ID: T1353
Sub-techniques:  No sub-techniques
Tactic: Build Capabilities
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Adversary will likely use code repositories, but development will be performed on their local systems.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Post compromise tool development is a standard part of the adversary's protocol in developing the necessary tools required to completely conduct an attack.


  1. Kaspersky Lab's Global Research & Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved March 9, 2017.