Last reviewed:
T1587.004 is the resource-development technique that covers building exploit code, refreshed in May 2026 when Google Threat Intelligence confirmed a 2FA bypass exploit written with measurable AI assistance: hallucinated CVSS values, over-documented helper functions, an unmistakable model-generated style. Victim telemetry does not see capability development directly. DCV's role for T1587.004 is to shrink the gap that AI-assisted exploit creation widens, by mapping the downstream exploitation step where the resulting code actually fires: T1190 for internet-facing services, T1078 for credentialed pivots after a chained compromise.
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.
As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.
Adversaries may use exploits during various phases of the adversary lifecycle (i.e. Exploit Public-Facing Application, Exploitation for Client Execution, Exploitation for Privilege Escalation, Exploitation for Stealth, Exploitation for Credential Access, Exploitation of Remote Services, and Application or System Exploitation).
Platforms: PRE.
DCV does not currently ship a cloud-audit-log finding mapped directly to T1587.004. The technique earns a library page because a13e research cites it. Detection sits downstream, on the exploitation step the technique enables.
CloudSigma does not currently ship a stand-alone rule that fires on T1587.004 in isolation. Generate a starting-point rule from the CVE, vulnerability disclosure, or threat-research blog post that exercises this technique, then pair it with SIEM-side correlation before enabling in production.
High-fidelity detection of T1587.004 requires correlation
across multiple events. For example, a credential-validation call
followed by a reconnaissance chain (List* /
Describe*) within a short window from an unfamiliar
source. A single-event Sigma rule on
GetCallerIdentity alone fires constantly on
legitimate CLI, SDK and CI/CD activity.
Where you have a specific advisory, vulnerability disclosure or blog post that exercises T1587.004-style abuse, CloudSigma can generate a starting-point rule from that input. You then deploy it in your SIEM and combine it with the SIEM's native correlation features (timeframe joins across users, source-IP anomalies, impossible-travel checks). For T1587.004 specifically the generated rule is rarely sufficient on its own; pair it with the SIEM-side correlation logic before enabling in production.
T1587.004 is the resource-development technique that covers building exploit code, refreshed in May 2026 when Google Threat Intelligence confirmed a 2FA bypass exploit written with measurable AI assistance: hallucinated CVSS values, over-documented helper functions, an unmistakable model-generated style. Victim telemetry does not see capability development directly. DCV's role for T1587.004 is to shrink the gap that AI-assisted exploit creation widens, by mapping the downstream exploitation step where the resulting code actually fires: T1190 for internet-facing services, T1078 for credentialed pivots after a chained compromise.
T1587.004 has no cloud-audit-log signal of its own; DCV does not currently ship a finding mapped directly to it. The technique earns a library page because a13e research cites it. Detection sits downstream, on the exploitation step the technique enables (see Related techniques).
T1587.004 is part of MITRE ATT&CK TA0042 Resource Development: How adversaries acquire infrastructure they will use later.
T1587.004 requires multi-event correlation that exceeds a single Sigma rule's structure. CloudSigma can generate a starting-point rule from a CVE, vulnerability disclosure, or threat-research blog post that exercises T1587.004-style abuse; pair it with SIEM-side correlation logic before enabling in production.