The sub-techniques beta is now live! Read the release blog post for more info.

Post compromise tool development

After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. [1]

ID: T1353
Tactic: Build Capabilities
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): No

Explanation: Adversary will likely use code repositories, but development will be performed on their local systems.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Post compromise tool development is a standard part of the adversary's protocol in developing the necessary tools required to completely conduct an attack.


  1. Kaspersky Lab's Global Research & Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved March 9, 2017.