T1588: Obtain Capabilities

T1588 falls under the Resource Development tactic (TA0042) and the PRE platform, meaning it occurs before the adversary interacts with the victim's environment. The technique covers the full range of capabilities an adversary might acquire externally rather than develop in-house: malware (payloads, backdoors, C2 frameworks), legitimate tools repurposed for attack (PsExec, Rclone, Cobalt Strike), exploits and vulnerability information, code signing and digital certificates, and — as of ATT&CK v18 — artificial intelligence capabilities including deepfakes and AI-generated content for social engineering.

Detection of T1588 is inherently difficult because the acquisition of capabilities occurs outside the victim's visibility. The purchase of malware on a dark web forum, the download of an exploit from GitHub, or the procurement of a code signing certificate from a compromised CA leaves no trace in the target's logs. Detection efforts must focus on the downstream use of obtained capabilities rather than the acquisition itself.

The Seven Sub-Techniques

T1588.001 — Malware

Adversaries buy, steal, or download malware including payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. The MaaS ecosystem provides malware on subscription models with technical support, update channels, and affiliate dashboards. Stealers (Lumma, Raccoon, Redline, Vidar) are the top-selling category, followed by RATs. Ransomware dominates the high-end market, with groups like Qilin offering affiliates 80% of ransoms under $3 million and 85% above that threshold. Bitsight's threat intelligence data shows the vast majority of MaaS tools target Windows, with a smaller but growing segment targeting Android. The Contagious Interview campaign (Lazarus Group) uses custom malware distributed through malicious npm packages, with 67 packages identified in a July 2025 escalation. DragonForce introduced a white-label franchise model allowing affiliates to rebrand its ransomware as their own.

T1588.002 — Tool

Adversaries acquire legitimate software tools — open or closed source, free or commercial — and repurpose them for malicious operations. The quintessential example is Cobalt Strike, a commercial red teaming platform widely used by both legitimate penetration testers and criminal threat actors. Tool procurement can involve purchasing commercial licenses, stealing license keys, or cracking trial versions. Mandiant's 2024 analysis noted a decline in Cobalt Strike BEACON usage among ransomware groups, with a corresponding increase in legitimate remote access tools (AnyDesk, ScreenConnect, TeamViewer) being used for C2 and persistence. Other commonly obtained tools include Mimikatz (credential dumping), Rclone (data exfiltration), Impacket (lateral movement), and BloodHound (Active Directory reconnaissance). The GRU has been documented using Kubernetes clusters as operational infrastructure — legitimate cloud tooling repurposed for attack distribution.

T1588.003 — Code Signing Certificates

Adversaries obtain code signing certificates to make their malware appear legitimate. Certificates can be stolen from compromised organizations, purchased from underground markets, or acquired through social engineering of certificate authorities. Code-signed malware bypasses application whitelisting, avoids SmartScreen warnings, and may be trusted by EDR solutions that whitelist signed binaries. The Kimsuky group deployed the Troll Stealer signed with a valid Korean company certificate. Lazarus Group has used stolen certificates across multiple campaigns. The DigiNotar CA compromise in 2011 demonstrated the catastrophic potential of certificate authority attacks, and similar supply chain risks persist in the certificate ecosystem.

T1588.004 — Digital Certificates

Adversaries obtain SSL/TLS certificates for use in C2 infrastructure, watering hole websites, and phishing domains. Free certificate providers like Let's Encrypt are commonly abused to create HTTPS-enabled phishing sites and C2 endpoints that appear legitimate to both users and security tools. Adversaries may also steal existing certificates from compromised servers. The ease of obtaining valid certificates means that HTTPS is no longer an indicator of trustworthiness — attackers can establish encrypted C2 channels with legitimate certificates that pass basic certificate validation. The Billbug (Lotus Blossom) group specifically targeted certificate authorities across Asia, potentially compromising the entire certificate issuance process.

T1588.005 — Exploits

Adversaries buy, steal, or download exploits that target specific vulnerabilities. The commercial exploit market ranges from public proof-of-concept code on GitHub and Exploit-DB to million-dollar zero-day purchases from commercial brokers. NSO Group's Pegasus spyware, which used iPhone zero-day exploits against journalists and human rights defenders, represents the high end of this market. Hacking Team's exploit inventory was exposed in their 2015 breach, revealing sales to government agencies worldwide. The Darkhotel APT used Hacking Team zero-days in targeted attacks. Google's Threat Intelligence documented in January 2026 that an actor named "zeroplayer" functions as an upstream supplier of exploits, providing ready-to-use capabilities that both state-sponsored groups (APT44/Sandworm, TEMP.Armageddon, RomCom) and ransomware operators adopt immediately upon availability. In H1 2025, Recorded Future found that 53% of attributed exploitation was state-sponsored, 27% financially motivated, and 20% ransomware-related.

T1588.006 — Vulnerabilities

Adversaries acquire information about vulnerabilities from public databases (NVD, CVE), security advisories, vendor patches (which they reverse-engineer to create exploits), bug bounty disclosures, and closed vulnerability databases. APT40 (China's Ministry of State Security) was documented by CISA in July 2024 as systematically monitoring vulnerability disclosures to rapidly develop and deploy exploits, often within hours of public disclosure. The delay between vulnerability disclosure and patch deployment creates a window that adversaries exploit aggressively. Vulnerability information is also traded on underground forums, where details about unpatched flaws in widely-deployed software command premium prices.

T1588.007 — Artificial Intelligence

Added in ATT&CK v18, this sub-technique covers adversaries obtaining AI capabilities for use in operations. Applications include AI-generated deepfake audio for vishing (voice phishing) attacks — including a 2019 case where attackers used AI to mimic a CEO's voice and fraudulently transfer $243,000. The FBI's December 2024 IC3 alert warned that criminals are using generative AI to facilitate financial fraud. North Korean IT workers use AI to create convincing personas and deepfake videos for fraudulent remote employment at Western companies, as documented by Insikt Group in February 2025. AI is also used to generate convincing phishing emails at scale, create fake social media profiles for social engineering, and automate the development of malware variants. While the Picus Red Report 2025 found no evidence of novel AI-driven malware techniques in 2024, AI is increasingly used for productivity in attack preparation — automating phishing content creation, debugging exploit code, and generating social engineering lures.

The Cybercrime-as-a-Service Ecosystem

Malware-as-a-Service (MaaS)

MaaS operators are organized groups with defined roles: malware developers, system administrators, managers, and technical support staff. They provide pre-built malware on subscription models, with payment options including monthly fees, one-time licenses, and profit-sharing arrangements. The MaaS marketplace provides infostealers (Lumma, Raccoon, Vidar, Redline), RATs (PureRAT, AsyncRAT, Quasar), loaders (BumbleBee, IcedID, QakBot), botnets (Emotet infrastructure), and full ransomware platforms. MaaS operators provide customizable malware variants that limit the effectiveness of signature-based detection. The model fundamentally lowers the barrier to entry: affiliates with no coding ability can launch sophisticated multi-stage attacks using rented infrastructure and pre-built toolkits.

Ransomware-as-a-Service (RaaS)

RaaS is the dominant delivery model for ransomware. Developers create the ransomware, maintain the infrastructure (leak sites, negotiation portals, payment processing), and provide affiliates with customizable payloads. Affiliates handle the actual intrusions and deployments, typically receiving 70-85% of ransom payments. In 2024, global ransomware attacks reached 5,263 incidents. In H1 2025, 96 distinct groups were active (a 41% increase over 2024). When major platforms collapse — as with LockBit (Operation Cronos), BlackBasta (internal leaks), and RansomHub (abrupt shutdown) — affiliates rapidly migrate to alternatives like Qilin, Akira, and DragonForce. DragonForce introduced a white-label franchise model with an 80/20 revenue split, allowing affiliates to operate under their own brand. Qilin incorporated internal legal advisory services and media teams to maximize extortion pressure.

Initial Access Brokers (IABs)

IABs specialize in gaining unauthorized access to corporate networks and selling that access on underground forums. They provide the critical first link in the ransomware kill chain, enabling affiliates to skip reconnaissance and initial compromise entirely. IAB offerings include compromised VPN/RDP credentials, backdoored systems with persistent access, and complete network maps with privileged account access. Kaspersky's 2025 data shows valid accounts represented 31.4% of initial attack vectors, with credentials frequently stolen by infostealers and resold through IABs. Europol's IOCTA 2025 report identifies IABs as "key enablers" for high-tier cybercriminals. The Jaguar Land Rover attack in August 2025 illustrated how a single IAB-brokered compromise cascaded through a supply chain, halting production of 1,000 vehicles per day.

Exploit Brokers and Vulnerability Markets

The exploit market spans a spectrum from free public proof-of-concept code to exclusive zero-day sales worth millions. Google documented the actor "zeroplayer" as an upstream exploit supplier whose ready-to-use capabilities are adopted by both state-sponsored groups and cybercriminals immediately upon availability. The WinRAR CVE-2025-8088 exploitation documented by Google in January 2026 showed APT44 (Sandworm), TEMP.Armageddon, RomCom, and financially motivated actors all adopting the same exploit simultaneously. Commercial surveillance vendors like NSO Group (Pegasus), Intellexa (Predator), and formerly Hacking Team represent the premium end of this market, selling zero-day chains to government clients. The exploit-as-a-service model has resurged in 2025, offering subscription-based access to weaponized vulnerability packages.

Why Obtain Capabilities Matters

The barrier to entry has been eliminated. The cybercrime-as-a-service ecosystem means that launching sophisticated ransomware attacks, deploying advanced malware, or conducting targeted espionage no longer requires years of technical development. Affiliates can rent complete attack infrastructure from MaaS/RaaS providers, purchase network access from IABs, and acquire exploits from brokers — assembling a full attack capability from commercial components in hours rather than months.

Specialization increases sophistication. When exploit development, malware engineering, initial access procurement, and ransomware deployment are handled by separate specialized groups, each component becomes more sophisticated than any single actor could achieve alone. The result is a professional supply chain where each link is optimized by specialists, producing attacks that are harder to detect and more damaging than monolithic operations.

Attribution becomes nearly impossible. When the same MaaS platform is used by dozens of affiliates, the same exploits are adopted by both state-sponsored and criminal actors simultaneously, and initial access is brokered through multiple intermediaries, traditional attribution based on tooling and TTPs breaks down. Google's documentation of WinRAR CVE-2025-8088 exploitation by APT44, TEMP.Armageddon, RomCom, and financial criminals simultaneously illustrates how shared capability acquisition blurs the line between state-sponsored and criminal operations.

AI capabilities are expanding the attack surface. The addition of T1588.007 (Artificial Intelligence) reflects a growing threat vector. AI-generated deepfake audio for CEO fraud, AI-created personas for social engineering, and AI-assisted malware development are all documented in the wild. While AI has not yet produced genuinely novel attack techniques, it serves as a productivity multiplier that enables attackers to scale social engineering, create more convincing lures, and accelerate exploit development.

Disruption has outsized impact. Because the cybercrime ecosystem depends on shared infrastructure and capability providers, disrupting key MaaS platforms, IAB marketplaces, or exploit brokers can have cascading effects across the entire criminal ecosystem. Europol's IOCTA 2025 report and operations like Endgame 2.0 demonstrate that targeting the enablers rather than individual attackers can disrupt downstream operations at scale.

Real-World Case Studies

Case 1: The Ransomware Supply Chain — From IAB to Encryption (2024–2025)

The modern ransomware attack illustrates T1588 at every stage. An infostealer (obtained as MaaS) harvests credentials from a victim's browser. Those credentials are sold on an underground marketplace. An initial access broker purchases them, validates network access, and lists the access on a forum for $5,000-$50,000. A ransomware affiliate (using a RaaS platform like Qilin or DragonForce) purchases the access. They deploy Cobalt Strike (obtained via cracked license or legitimate purchase) for C2, Mimikatz (freely downloaded) for credential dumping, and Rclone (open-source download) for data exfiltration. Finally, the RaaS-provided ransomware payload encrypts the environment. Every tool in the chain was obtained rather than developed — five separate T1588 instances in a single attack. Arctic Wolf's 2025 Threat Report documented that ransomware constituted 44% of their incident response cases in 2024.

Case 2: CVE-2025-8088 — Exploit Commoditization in Real-Time (January 2026)

Google's Threat Intelligence Group documented the exploitation of WinRAR CVE-2025-8088, a critical path traversal vulnerability, by a diverse range of threat actors. The actor "zeroplayer" served as an upstream exploit supplier, providing ready-to-use capabilities that were simultaneously adopted by APT44/Sandworm (Russian military intelligence, targeting Ukrainian military), TEMP.Armageddon/Gamaredon (Russian, targeting Ukrainian government), RomCom/UNC4895 (dual financial and espionage, targeting Ukrainian military), and financially motivated cybercriminals. The speed of adoption demonstrated that when a reliable exploit enters the marketplace, it is instantly commoditized across the full spectrum of threat actors.

Case 3: NSO Group / Pegasus — Commercial Exploit Market

NSO Group's Pegasus spyware represents the premium tier of T1588.005 (Exploits). The platform uses chains of zero-day exploits targeting iOS and Android to achieve zero-click remote compromise of mobile devices. Clients include government intelligence agencies who pay millions of dollars per deployment. Pegasus was used against journalists, human rights defenders, and political figures worldwide, as documented by Citizen Lab and Amnesty International. The "Million Dollar Dissident" case (2016) exposed the use of three iOS zero-days against a UAE human rights defender. The commercial surveillance industry — including NSO Group, Intellexa/Predator, and formerly Hacking Team — demonstrates that exploit acquisition is not limited to dark web forums; it operates as a legitimate business serving government clients.

Case 4: North Korean AI-Powered Employment Fraud (2025)

North Korean IT workers use AI capabilities (T1588.007) to create convincing personas and deepfake videos for fraudulent remote employment at Western technology companies. Insikt Group documented this operation in February 2025, noting that workers use AI-generated profile photos, deepfake video for interviews, and AI-assisted communication to maintain the illusion of being legitimate Western-based employees. The earnings are funneled back to the DPRK regime. Separately, the Contagious Interview campaign (Lazarus Group) uses fake job assessment websites and malicious npm packages to compromise developer workstations. The FBI's December 2024 IC3 alert warned that criminals broadly are using generative AI to facilitate financial fraud, including AI voice cloning for vishing attacks.

Case 5: DragonForce — The White-Label RaaS Franchise (2025)

DragonForce introduced a white-label franchise model that represents the maturation of the RaaS supply chain. Affiliates can operate under their own brand name using DragonForce-provided ransomware toolkits with an 80/20 revenue split. Following the collapse of RansomHub in March 2025, DragonForce reportedly absorbed their infrastructure and affiliates in what may have been a hostile takeover. The franchise model means that affiliates need to obtain only one capability — a RaaS subscription — to receive complete attack infrastructure including ransomware payloads, leak sites, negotiation portals, and potentially initial access through the platform's IAB partnerships. This represents the logical endpoint of the T1588 ecosystem: a complete attack capability available as a commercial subscription.

Detection Strategies

Data Source	Component	Detection Focus
Malware Repository	Malware Metadata	Track known MaaS/RaaS malware families; correlate samples with threat intelligence feeds on active campaigns
Internet Scan	Response Content	Monitor for new C2 infrastructure using known tool signatures (Cobalt Strike Beacon, Sliver, Havoc); JA4+ fingerprinting
Certificate	Certificate Registration	Track certificates issued to suspicious domains; monitor for stolen or misused code signing certificates
Threat Intelligence	Dark Web Monitoring	Monitor underground forums for IAB listings mentioning your organization, industry, or infrastructure
Vulnerability	Exploit Activity	Prioritize patching for vulnerabilities with public exploits; track exploit broker activity for early warning
Social Engineering	Content Analysis	Detect AI-generated content in phishing emails; identify deepfake audio/video in vishing attempts

Splunk / SIEM Detection Queries

Known MaaS/RaaS Tool Execution — Detect execution of tools commonly obtained through cybercrime marketplaces:

index=sysmon EventCode=1
| where match(OriginalFileName, "(?i)(CobaltStrike|beacon|mimikatz|
  rubeus|sharphound|bloodhound|psexec|rclone|megasync|anydesk)")
  OR match(Image, "(?i)(beacon|mimikatz|rubeus|sharphound)")
| stats count values(CommandLine) as commands values(Image) as images
  by ComputerName User OriginalFileName
| sort - count

Suspicious Code Signing Certificate Usage — Identify executables signed with recently-issued, revoked, or unusual certificates:

index=sysmon EventCode=7 SignatureStatus!=Valid Signed=true
| where NOT match(Image, "(?i)(windows|program files|programdata)")
| stats count values(Image) as images values(Signature) as signers
  dc(ComputerName) as affected_hosts by SignatureStatus
| where count > 3
| sort - affected_hosts

Rapid Exploitation After Disclosure — Detect exploitation attempts for recently-disclosed CVEs targeting your environment:

index=ids_ips alert_severity IN ("high","critical")
| where match(signature, "(?i)(CVE-202[4-6])")
| stats count earliest(_time) as first_seen latest(_time) as last_seen
  dc(src_ip) as source_count values(dest_ip) as targets
  by signature
| eval time_since_first=round((last_seen-first_seen)/3600,1)
| sort - count

IAB Indicator Correlation — Correlate threat intelligence on compromised credentials with authentication activity:

index=windows EventCode=4624 Logon_Type IN (3,10)
| lookup iab_compromised_creds.csv TargetUserName OUTPUT
  breach_source compromise_date
| where isnotnull(breach_source)
| stats count values(Source_Network_Address) as login_sources
  values(breach_source) as breach_sources by TargetUserName
| sort - count

Known Threat Actors

Nation-State Groups Obtaining Capabilities

Threat Actor	Capabilities Obtained	Notable Detail
APT29 / Cozy Bear	Cobalt Strike, Sliver, commercial tools	Shift from custom to commercial tooling; StellarParticle campaign
APT41 / Brass Typhoon	Cobalt Strike, Metasploit, custom + obtained malware	Dual espionage/financial operations; uses both developed and obtained capabilities
GRU / APT28	Kubernetes infrastructure, exploit code	Global brute force campaign using legitimate cloud infrastructure
APT40 / MSS	Vulnerability intelligence, n-day exploits	Rapidly weaponizes public vulnerability disclosures (CISA July 2024)
Lazarus Group	Stolen code signing certs, malware, npm packages	Contagious Interview; 67+ malicious npm packages (July 2025)
DPRK IT Workers	AI deepfakes, generative AI tools	Fraudulent Western employment using AI-generated personas (T1588.007)
Turla / FSB	Custom + obtained tools, exploit code	Galaxy of tools: both custom-developed and commercially obtained
Darkhotel	Hacking Team zero-days	Purchased exploits from commercial surveillance vendor

Cybercrime Ecosystem

Entity	Role in T1588 Ecosystem	Notable Detail
Qilin RaaS	Ransomware provider (T1588.001)	80-85% affiliate split; legal advisory services; 1,034 victims (2025)
DragonForce	White-label RaaS franchise (T1588.001)	80/20 split; absorbed RansomHub infrastructure; brand licensing
Initial Access Brokers	Network access sales (T1588.001/002)	Key enablers per Europol IOCTA 2025; JLR supply chain attack (Aug 2025)
"zeroplayer"	Upstream exploit supplier (T1588.005)	Google-documented supplier to state and criminal actors; CVE-2025-8088
NSO Group / Pegasus	Commercial exploit vendor (T1588.005)	Zero-click iOS exploits sold to governments; $2.5M+ per deployment
Lumma / Raccoon / Vidar	MaaS infostealer providers (T1588.001)	Top-selling malware category; credential harvesting at scale
Emotet (rebuilt)	Loader/botnet MaaS (T1588.001)	Re-emerged post-2021 takedown; one of the most durable MaaS platforms
LabHost (dismantled)	Phishing-as-a-Service (T1588.001)	42,000 domains; 500K cards; 1M+ credentials before FBI takedown

Defensive Recommendations

1. Invest in Threat Intelligence

Monitor underground forums, dark web marketplaces, and paste sites for mentions of your organization, industry, or infrastructure. Track IAB listings that reference your technology stack, geographic region, or sector. Subscribe to threat intelligence feeds that track active MaaS campaigns, new RaaS platforms, and exploit broker activity. Early warning of capability acquisition provides the opportunity to strengthen defenses before an attack materializes.

2. Prioritize Vulnerability Management

Rapidly patch vulnerabilities with public exploit code, especially those appearing in exploit broker offerings. APT40 weaponizes public disclosures within hours. The zeroplayer ecosystem demonstrates that reliable exploits are instantly adopted by the full spectrum of threat actors. Implement a risk-based vulnerability management program that prioritizes exploited-in-the-wild CVEs (CISA KEV catalog) over CVSS scores alone.

3. Monitor for Known Tool Indicators

Deploy detection for commonly obtained tools: Cobalt Strike Beacon (JA4+ fingerprints, malleable C2 patterns), Sliver/Havoc (JA4X certificate fingerprints), Mimikatz (LSASS access patterns), and Rclone (cloud storage connections). Because these tools are widely obtained through T1588, detecting their use provides coverage across multiple threat actors regardless of who purchased or downloaded them.

4. Implement Certificate Monitoring

Monitor Certificate Transparency logs for certificates issued to domains similar to your organization's. Track code signing certificate usage in your environment and alert on executables signed with unknown or recently-issued certificates. Revoke and replace certificates immediately if compromise is suspected. Consider implementing certificate pinning for critical internal services.

5. Defend Against AI-Enabled Social Engineering

Implement verification procedures for high-value financial transactions and sensitive requests that cannot be bypassed by a convincing phone call or video. Establish out-of-band confirmation channels for wire transfers and access requests. Train employees on deepfake awareness. For hiring processes, implement identity verification steps that are resistant to AI-generated personas.

6. Disrupt the Kill Chain Early

Because T1588 is invisible to defenders, focus on detecting the earliest downstream techniques: initial access attempts using obtained credentials (brute force, credential stuffing), deployment of obtained malware (known MaaS families), and exploitation using obtained vulnerability information. Early kill chain detection prevents the adversary from leveraging their obtained capabilities regardless of how sophisticated those capabilities are.

7. Participate in Coordinated Disruption

Share indicators of compromise with ISACs, law enforcement, and industry partners. Coordinated takedowns of MaaS platforms (Emotet), RaaS infrastructure (LockBit/Operation Cronos), and IAB marketplaces have demonstrated that disrupting capability providers has outsized downstream impact. Europol's Endgame 2.0 operation dismantled critical ransomware infrastructure by targeting shared enablers rather than individual affiliates.

8. Assume Breach Posture

Given that sophisticated attack capabilities are commercially available to anyone, assume that adversaries can obtain whatever tools they need. Design defensive architecture around detection and response rather than prevention alone. Implement network segmentation, least privilege access, and comprehensive monitoring that can detect and contain an adversary who has obtained and deployed professional-grade attack capabilities.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1588
Name	Obtain Capabilities
Tactic	Resource Development (TA0042)
Sub-Techniques	T1588.001 Malware, T1588.002 Tool, T1588.003 Code Signing Certificates, T1588.004 Digital Certificates, T1588.005 Exploits, T1588.006 Vulnerabilities, T1588.007 Artificial Intelligence
Platforms	PRE
Version	1.1 (Last Modified October 2025)
Data Sources	Malware Repository, Internet Scan, Certificate Registration, Threat Intelligence
Related Techniques	T1587 Develop Capabilities, T1583 Acquire Infrastructure, T1584 Compromise Infrastructure, T1586 Compromise Accounts

Sources and References

• Google Threat Intelligence — Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088 (January 2026): cloud.google.com
• Recorded Future — H1 2025 Malware and Vulnerability Trends: recordedfuture.com
• Check Point — 2025 State of Cyber Security Report (44% Attack Increase): checkpoint.com
• Europol — Internet Organised Crime Threat Assessment (IOCTA) 2025: referenced via darknet.org.uk
• Bitsight — What Is Malware-as-a-Service? Inside MaaS (August 2025): bitsight.com
• Brandefense — Forum Watch: What Cybercriminals Are Selling In 2025 (November 2025): brandefense.io
• Arctic Wolf — Initial Access Brokers: The Hidden Players Behind Ransomware (October 2025): arcticwolf.com
• Insikt Group (Recorded Future) — Inside the Scam: North Korea's IT Worker Threat (February 2025): referenced via attack.mitre.org
• FBI IC3 — Criminals Use Generative Artificial Intelligence to Facilitate Financial Fraud (December 2024): referenced via attack.mitre.org
• Verizon — 2025 Data Breach Investigations Report (Ransomware in 44% of Breaches): referenced via allcovered.com
• MITRE ATT&CK — T1588 Obtain Capabilities (v18, October 2025): attack.mitre.org