Which SIEM platforms have a T1587 detection rule?

df00tech provides T1587 (Develop Capabilities) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Develop Capabilities (T1587)?

Detecting Develop Capabilities requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1587 detection?

The T1587 detection is rated high severity with low confidence.

What are common false positives for T1587?

Common false positives for T1587 include: Internal development teams executing locally compiled utilities or test binaries that have not yet been signed; Open-source or portable applications distributed without code signing (e.g., command-line utilities, Python scripts compiled with PyInstaller); Legitimate penetration testing tools (Cobalt Strike, Metasploit, custom scripts) used by authorized red team engagements.

T1587

Develop Capabilities

Resource Development Last updated: April 13, 2026

This detection identifies indicators that adversaries have deployed custom-developed capabilities within the target environment. Because T1587 (Develop Capabilities) occurs outside the victim network during the adversary lifecycle, direct detection is impossible; instead, this rule focuses on second-order indicators: unsigned or self-signed executables executing from non-standard paths, low-prevalence binaries making network connections, and novel tooling patterns associated with bespoke malware frameworks. Groups such as Kimsuky, Moonstone Sleet, and Contagious Interview are known to develop custom tools—including malicious NPM packages, spearphishing toolkits, and custom implants—that exhibit these characteristics upon deployment. The detection correlates signature anomalies, environmental prevalence, and behavioral signals to surface likely custom-developed tools used in targeted intrusions.

What is T1587 Develop Capabilities?

Develop Capabilities (T1587) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.

This page provides production-ready detection logic for Develop Capabilities, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint. The queries below are rated high severity at low confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Resource Development
Technique: T1587 Develop Capabilities
Canonical reference: https://attack.mitre.org/techniques/T1587/

Microsoft Sentinel / Defender

kusto

let ExcludedPaths = dynamic([
    @"C:\Windows\System32",
    @"C:\Windows\SysWOW64",
    @"C:\Program Files",
    @"C:\Program Files (x86)",
    @"C:\Windows\WinSxS"
]);
let SuspiciousSignatureStates = dynamic(["Unsigned", "SignedByUntrustedCertificate", "SignedByInvalidCertificate"]);
let LookbackWindow = ago(1d);
// Step 1: Find low-prevalence unsigned executables executing from non-standard paths
let UnsignedExecs = DeviceProcessEvents
| where TimeGenerated > LookbackWindow
| where ProcessSignatureStatus in (SuspiciousSignatureStates)
| where not(FolderPath has_any (ExcludedPaths))
| extend SuspiciousLocation = case(
    FolderPath startswith @"C:\Users\" and FolderPath has "\AppData\Local\Temp", true,
    FolderPath startswith @"C:\Users\" and FolderPath has "\Downloads", true,
    FolderPath startswith @"C:\ProgramData\", true,
    FolderPath startswith @"C:\Temp\", true,
    FolderPath startswith @"C:\Windows\Temp\", true,
    false
)
| extend RiskScore = case(
    ProcessSignatureStatus == "Unsigned" and SuspiciousLocation == true, 40,
    ProcessSignatureStatus == "SignedByUntrustedCertificate" and SuspiciousLocation == true, 35,
    ProcessSignatureStatus == "SignedByInvalidCertificate", 30,
    ProcessSignatureStatus == "Unsigned" and SuspiciousLocation == false, 20,
    10
)
| where RiskScore >= 30
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, SHA256, ProcessSignatureStatus, InitiatingProcessFileName, InitiatingProcessCommandLine, RiskScore;
// Step 2: Correlate with network events to identify beaconing custom implants
let UnsignedWithNetwork = UnsignedExecs
| join kind=leftouter (
    DeviceNetworkEvents
    | where TimeGenerated > LookbackWindow
    | where RemoteIPType != "Private"
    | summarize NetworkConnections=count(), UniqueRemoteIPs=dcount(RemoteIP), RemoteIPList=make_set(RemoteIP, 5), RemotePorts=make_set(RemotePort, 5) by InitiatingProcessSHA256
) on $left.SHA256 == $right.InitiatingProcessSHA256
| extend NetworkRiskBonus = case(
    NetworkConnections > 10, 20,
    NetworkConnections > 0, 10,
    0
)
| extend TotalRisk = RiskScore + NetworkRiskBonus;
// Step 3: Deduplicate by SHA256 to surface unique custom tools
UnsignedWithNetwork
| summarize
    AlertCount = count(),
    AffectedDevices = dcount(DeviceName),
    DeviceList = make_set(DeviceName, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SampleCommandLine = take_any(ProcessCommandLine),
    SampleInitiatingProcess = take_any(InitiatingProcessFileName),
    MaxRisk = max(TotalRisk),
    HasNetworkActivity = max(NetworkConnections) > 0
    by FileName, SHA256, FolderPath, ProcessSignatureStatus
| where AffectedDevices < 5  // Low environmental prevalence — likely custom tooling
| order by MaxRisk desc, AffectedDevices asc

Detects execution of unsigned or untrusted-certificate-signed binaries from non-standard filesystem paths with low environmental prevalence, optionally correlated with external network connections. This pattern is characteristic of custom-developed malware or bespoke implants deployed by threat actors following their own capability development phase. The query scores each observed binary by signature state and execution path suspiciousness, then surfaces only low-prevalence samples (seen on fewer than 5 devices) to minimize commodity software noise.

high severity low confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Internal development teams executing locally compiled utilities or test binaries that have not yet been signed
Open-source or portable applications distributed without code signing (e.g., command-line utilities, Python scripts compiled with PyInstaller)
Legitimate penetration testing tools (Cobalt Strike, Metasploit, custom scripts) used by authorized red team engagements
Software distributed via internal package managers or deployment tools that bypasses standard code signing workflows
Vendor-supplied diagnostic utilities that are unsigned by design

Splunk

spl

| union
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
  | where Signed="false" OR SignatureStatus IN ("Unavailable", "Invalid", "Expired")
  | where NOT match(ImageLoaded, "(?i)(C:\\\\Windows\\\\System32|C:\\\\Windows\\\\SysWOW64|C:\\\\Program Files|C:\\\\Windows\\\\WinSxS)")
  | eval EventType="ImageLoad", SuspiciousBinary=ImageLoaded, LoadingProcess=Image
  | fields _time, Computer, User, EventType, SuspiciousBinary, LoadingProcess, Signed, SignatureStatus, Hashes
],
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | where match(Image, "(?i)(\\\\AppData\\\\Local\\\\Temp|\\\\Downloads|\\\\ProgramData|C:\\\\Temp)")
  | eval EventType="ProcessCreate", SuspiciousBinary=Image, LoadingProcess=ParentImage
  | fields _time, Computer, User, EventType, SuspiciousBinary, LoadingProcess, CommandLine, Hashes
]
| rex field=Hashes "SHA256=(?<SHA256>[A-Fa-f0-9]{64})"
| eval RiskScore=case(
    EventType=="ImageLoad" AND (SignatureStatus=="Invalid" OR SignatureStatus=="Expired"), 35,
    EventType=="ImageLoad" AND Signed=="false", 25,
    EventType=="ProcessCreate" AND match(SuspiciousBinary, "(?i)\\\\Temp\\\\"), 30,
    EventType=="ProcessCreate" AND match(SuspiciousBinary, "(?i)\\\\Downloads\\\\"), 25,
    true(), 10
)
| where RiskScore >= 25
| stats
    count as EventCount,
    dc(Computer) as UniqueHosts,
    values(Computer) as HostList,
    min(_time) as FirstSeen,
    max(_time) as LastSeen,
    values(User) as Users,
    values(LoadingProcess) as LoadingProcesses,
    max(RiskScore) as MaxRisk
    by SuspiciousBinary, SHA256, EventType
| where UniqueHosts < 5
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"), LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| sort - MaxRisk UniqueHosts
| table SuspiciousBinary, SHA256, EventType, UniqueHosts, HostList, Users, LoadingProcesses, EventCount, MaxRisk, FirstSeen, LastSeen

Correlates Sysmon EventCode 7 (Image Load) for unsigned or invalid-signature DLLs and executables with EventCode 1 (Process Create) for processes spawning from suspicious paths. Low environmental prevalence (fewer than 5 unique hosts) is used as a signal to distinguish custom-developed tooling from widespread legitimate software. Results are scored and ranked by risk to prioritize analyst review.

high severity low confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Portable open-source tools (nmap, Wireshark portable, Python executables) compiled without code signing
Developer workstations running locally built binaries during normal software development
IT automation scripts packaged as standalone executables (PyInstaller, pkg, nexe) without signing certificates
Vendor diagnostic or support tools distributed as unsigned binaries
Security research tools executed from analyst workstations during threat hunting exercises

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "Process Path" AS ProcessPath,
  "File Hash" AS SHA256Hash,
  "Signature Status" AS SignatureStatus,
  destinationip,
  destinationport,
  logsourceid,
  CATEGORYNAME(category) AS Category
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%'
  )
  AND (
    (qid = 5145670 AND "Signed" = 'false')  -- Sysmon EventCode 7 ImageLoad unsigned
    OR
    (qid = 5145664  -- Sysmon EventCode 1 ProcessCreate
      AND (
        "Process Path" ILIKE '%\\AppData\\Local\\Temp\\%'
        OR "Process Path" ILIKE '%\\Downloads\\%'
        OR "Process Path" ILIKE '%\\ProgramData\\%'
        OR "Process Path" ILIKE 'C:\\Temp\\%'
        OR "Process Path" ILIKE 'C:\\Windows\\Temp\\%'
      )
      AND "Process Path" NOT ILIKE '%\\Windows\\System32\\%'
      AND "Process Path" NOT ILIKE '%\\Program Files%'
    )
  )
  AND starttime > NOW() - 86400000
GROUP BY sourceip, username, ProcessPath, SHA256Hash, SignatureStatus
HAVING COUNT(DISTINCT sourceip) < 5
ORDER BY EventTime DESC
LIMIT 500

Detects unsigned or invalidly-signed executables running from non-standard user-writable paths on Windows endpoints via Sysmon event codes 1 and 7 ingested into QRadar. Filters to low-prevalence binaries (fewer than 5 unique hosts) to surface likely custom-developed tools. Uses AQL aggregate grouping over a 24-hour lookback window.

high severity medium confidence

Data Sources

IBM QRadar with Windows Sysmon DSM Microsoft Windows Sysmon logs via QRadar WinCollect agent

Required Tables

events

False Positives

Legitimate portable utilities executed from user download directories on low-user-count hosts
Internal tooling deployed to a small subset of endpoints during staged rollouts
Pentest or red team tooling executed from temp paths during authorised engagements

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventCode" = "7" OR %"EventCode" = "1")
// Parse Sysmon fields
| parse field=%"Hashes" "SHA256=*" as SHA256 nodrop
| parse field=%"Image" "*" as ProcessImage nodrop
| parse field=%"ImageLoaded" "*" as ImageLoadedPath nodrop
// Normalize the binary path field
| if(%"EventCode" = "1", ProcessImage, ImageLoadedPath) as SuspiciousBinary
// Exclude standard system paths
| where !(SuspiciousBinary matches "(?i).*C:\\Windows\\System32.*"
  OR SuspiciousBinary matches "(?i).*C:\\Windows\\SysWOW64.*"
  OR SuspiciousBinary matches "(?i).*C:\\Program Files.*"
  OR SuspiciousBinary matches "(?i).*C:\\Windows\\WinSxS.*")
// Filter for suspicious locations or unsigned images
| where (SuspiciousBinary matches "(?i).*\\AppData\\Local\\Temp.*"
  OR SuspiciousBinary matches "(?i).*\\Downloads.*"
  OR SuspiciousBinary matches "(?i).*\\ProgramData.*"
  OR SuspiciousBinary matches "(?i).*C:\\Temp.*"
  OR SuspiciousBinary matches "(?i).*C:\\Windows\\Temp.*"
  OR %"Signed" = "false"
  OR %"SignatureStatus" in ("Invalid", "Expired", "Unavailable"))
// Risk scoring
| if(%"EventCode" = "7" AND (%"SignatureStatus" = "Invalid" OR %"SignatureStatus" = "Expired"), 35,
    if(%"EventCode" = "7" AND %"Signed" = "false", 25,
      if(%"EventCode" = "1" AND SuspiciousBinary matches "(?i).*\\Temp.*", 30,
        if(%"EventCode" = "1" AND SuspiciousBinary matches "(?i).*\\Downloads.*", 25, 10)
      )
    )
  ) as RiskScore
| where RiskScore >= 25
| stats
    count as EventCount,
    dc(%"Computer") as UniqueHosts,
    values(%"Computer") as HostList,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen,
    values(%"User") as Users,
    max(RiskScore) as MaxRisk
    by SuspiciousBinary, SHA256
| where UniqueHosts < 5
| formatDate(fromMillis(FirstSeen), "yyyy-MM-dd HH:mm:ss") as FirstSeenFmt
| formatDate(fromMillis(LastSeen), "yyyy-MM-dd HH:mm:ss") as LastSeenFmt
| fields SuspiciousBinary, SHA256, UniqueHosts, HostList, Users, EventCount, MaxRisk, FirstSeenFmt, LastSeenFmt
| sort by MaxRisk desc, UniqueHosts asc

Detects custom-developed tool deployment by identifying unsigned or invalidly-signed executables executing from non-standard user-writable paths via Sysmon EventCode 1 (Process Create) and EventCode 7 (Image Load). Applies risk scoring and filters to low-prevalence binaries across the environment to reduce noise from legitimate software. Designed for Sumo Logic CSE with Windows Sysmon log sources.

high severity medium confidence

Data Sources

Windows Sysmon logs via Sumo Logic Installed Collector Sumo Logic Cloud SIEM Enterprise with Windows data source

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Developers running locally-compiled unsigned binaries from project temp directories
IT administrators running portable diagnostic or remediation tools from Downloads
Shadow IT applications (unlicensed but benign) run from user profile directories on endpoints with few users

Google Chronicle / SecOps

yaral

rule t1587_develop_capabilities_unsigned_exec {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects unsigned or untrusted executables running from non-standard paths, a second-order indicator of adversary custom-developed capabilities (T1587). Correlates process execution with outbound network activity to surface likely custom implants."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1587"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path != /(?i)(C:\\Windows\\System32|C:\\Windows\\SysWOW64|C:\\Program Files|C:\\Windows\\WinSxS)/
    (
      $proc.principal.process.file.full_path = /(?i)\\AppData\\Local\\Temp\\/
      or $proc.principal.process.file.full_path = /(?i)\\Downloads\\/
      or $proc.principal.process.file.full_path = /(?i)\\ProgramData\\/
      or $proc.principal.process.file.full_path = /(?i)C:\\Temp\\/
      or $proc.principal.process.file.full_path = /(?i)C:\\Windows\\Temp\\/
    )
    not $proc.principal.process.file.security_result.severity = "INFORMATIONAL"
    $proc.principal.hostname = $hostname
    $proc.principal.process.file.sha256 = $sha256

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.hostname = $hostname
    not $net.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
    $net.principal.process.file.sha256 = $sha256

  match:
    $hostname, $sha256 over 1h

  condition:
    $proc and $net
}

Chronicle YARA-L 2.0 rule detecting unsigned executables launched from non-standard paths that subsequently make outbound external network connections. Uses UDM event correlation over a 1-hour window joining PROCESS_LAUNCH and NETWORK_CONNECTION events by host and process SHA256 hash, surfacing likely custom-developed implants characteristic of T1587 post-deployment behavior.

high severity medium confidence

Data Sources

Google Chronicle UDM Chronicle Endpoint Telemetry (via Forwarder) Windows Event logs ingested to Chronicle

Required Tables

PROCESS_LAUNCH UDM events NETWORK_CONNECTION UDM events

False Positives

Developers running unsigned build artifacts from temp directories with network calls to internal registries or APIs
Automated test frameworks executing portable binaries that call out to external test services
IT asset management or monitoring agents installed in non-standard locations performing routine cloud telemetry

CrowdStrike LogScale (CQL)

cql

// Step 1: Identify unsigned or low-trust process executions from suspicious paths
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\AppData\\Local\\Temp|\\Downloads|\\ProgramData|C:\\Temp|C:\\Windows\\Temp)/
| ImageFileName != /(?i)(C:\\Windows\\System32|C:\\Windows\\SysWOW64|C:\\Program Files|C:\\Windows\\WinSxS)/
| SignInfoFlags_decimal != 0  // Non-zero indicates signature issues (untrusted, unsigned, invalid)
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, SHA256HashData, TargetProcessId, SignInfoFlags_decimal])
| rename(field=SHA256HashData, as="ProcSHA256")

// Step 2: Join with outbound network connections to external IPs
| join(
    { #event_simpleName=NetworkConnectIP4
      | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.0)/
      | select([@timestamp, ComputerName, RemoteAddressIP4, RemotePort, LocalPort, TargetProcessId])
    },
    field=[ComputerName, TargetProcessId],
    include=[RemoteAddressIP4, RemotePort]
)

// Step 3: Aggregate and filter for low-prevalence binaries
| groupBy([ImageFileName, ProcSHA256], function=[
    count(ComputerName, distinct=true, as=UniqueHosts),
    count(as=EventCount),
    collect(ComputerName, limit=5, as=AffectedHosts),
    collect(UserName, limit=5, as=Users),
    collect(RemoteAddressIP4, limit=10, as=ExternalIPs),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen),
    take(CommandLine, as=SampleCommandLine)
  ]
)
| UniqueHosts < 5
| sort(UniqueHosts, order=asc)
| select([ImageFileName, ProcSHA256, UniqueHosts, EventCount, AffectedHosts, Users, ExternalIPs, SampleCommandLine, FirstSeen, LastSeen])

CrowdStrike LogScale (Falcon) detection for custom-developed tool deployment (T1587) using Falcon telemetry. Identifies ProcessRollup2 events where executables with non-zero SignInfoFlags (indicating signature anomalies) run from user-writable non-standard paths, then correlates with outbound NetworkConnectIP4 events to external addresses. Filters to low-prevalence binaries (fewer than 5 unique hosts) to surface bespoke implants used by threat groups such as Kimsuky and Moonstone Sleet.

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon LogScale with Process and Network event ingestion

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Internal developer workstations running self-compiled unsigned tools during development cycles that reach external package registries
Legitimate third-party security tools (EDR, DLP agents) with non-standard installation paths making cloud telemetry calls
IT automation scripts deployed to a small pilot group of endpoints reaching cloud management APIs

Sigma rule & cross-platform mapping

The detection logic for Develop Capabilities (T1587) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1587 Sigma rules on detection.fyi

Platform-specific guides for T1587

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-13 Research depth: deep

References (7)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Execute Self-Signed Binary from User-Writable Path (Windows)
Expected signal: DeviceProcessEvents: FileName=custom_capability_test.exe, ProcessSignatureStatus=SignedByUntrustedCertificate, FolderPath contains \AppData\Local\Temp. DeviceImageLoadEvents showing DLLs loaded with self-signed parent process.
Test 2Deploy Malicious NPM Post-Install Script (Cross-Platform)
Expected signal: Sysmon EventCode=1 (Linux auditd execve): process spawned with ParentImage=/usr/bin/node, Image=/bin/sh or /bin/id. audit.log entries showing execve syscall from node process with working directory in node_modules path.
Test 3Compile and Execute Custom ELF Binary with Network Connection (Linux)
Expected signal: auditd: EXECVE record for /tmp/atomic_custom_tool with ppid matching shell. SOCKADDR audit record showing connect() call to 192.0.2.1:4444. Sysmon for Linux EventCode=3 (Network Connect) if deployed. /proc/<pid>/exe pointing to /tmp path.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1587 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Develop Capabilities

What is T1587 Develop Capabilities?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1587

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Resource Development

Popular Detections

What is T1587 Develop Capabilities?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1587

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (4)

Related Techniques

Same Tactic: Resource Development

Popular Detections

Get new detections in your inbox