Post compromise tool development
After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. 
Tactic: Build Capabilities
DetectionDetectable by Common Defenses (Yes/No/Partial): No
Explanation: Adversary will likely use code repositories, but development will be performed on their local systems.
Difficulty for the AdversaryEasy for the Adversary (Yes/No): Yes
Explanation: Post compromise tool development is a standard part of the adversary's protocol in developing the necessary tools required to completely conduct an attack.
- Kaspersky Lab's Global Research & Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved March 9, 2017.