T1587 Develop Capabilities Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ExcludedPaths = dynamic([
    @"C:\Windows\System32",
    @"C:\Windows\SysWOW64",
    @"C:\Program Files",
    @"C:\Program Files (x86)",
    @"C:\Windows\WinSxS"
]);
let SuspiciousSignatureStates = dynamic(["Unsigned", "SignedByUntrustedCertificate", "SignedByInvalidCertificate"]);
let LookbackWindow = ago(1d);
// Step 1: Find low-prevalence unsigned executables executing from non-standard paths
let UnsignedExecs = DeviceProcessEvents
| where TimeGenerated > LookbackWindow
| where ProcessSignatureStatus in (SuspiciousSignatureStates)
| where not(FolderPath has_any (ExcludedPaths))
| extend SuspiciousLocation = case(
    FolderPath startswith @"C:\Users\" and FolderPath has "\AppData\Local\Temp", true,
    FolderPath startswith @"C:\Users\" and FolderPath has "\Downloads", true,
    FolderPath startswith @"C:\ProgramData\", true,
    FolderPath startswith @"C:\Temp\", true,
    FolderPath startswith @"C:\Windows\Temp\", true,
    false
)
| extend RiskScore = case(
    ProcessSignatureStatus == "Unsigned" and SuspiciousLocation == true, 40,
    ProcessSignatureStatus == "SignedByUntrustedCertificate" and SuspiciousLocation == true, 35,
    ProcessSignatureStatus == "SignedByInvalidCertificate", 30,
    ProcessSignatureStatus == "Unsigned" and SuspiciousLocation == false, 20,
    10
)
| where RiskScore >= 30
| project TimeGenerated, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, SHA256, ProcessSignatureStatus, InitiatingProcessFileName, InitiatingProcessCommandLine, RiskScore;
// Step 2: Correlate with network events to identify beaconing custom implants
let UnsignedWithNetwork = UnsignedExecs
| join kind=leftouter (
    DeviceNetworkEvents
    | where TimeGenerated > LookbackWindow
    | where RemoteIPType != "Private"
    | summarize NetworkConnections=count(), UniqueRemoteIPs=dcount(RemoteIP), RemoteIPList=make_set(RemoteIP, 5), RemotePorts=make_set(RemotePort, 5) by InitiatingProcessSHA256
) on $left.SHA256 == $right.InitiatingProcessSHA256
| extend NetworkRiskBonus = case(
    NetworkConnections > 10, 20,
    NetworkConnections > 0, 10,
    0
)
| extend TotalRisk = RiskScore + NetworkRiskBonus;
// Step 3: Deduplicate by SHA256 to surface unique custom tools
UnsignedWithNetwork
| summarize
    AlertCount = count(),
    AffectedDevices = dcount(DeviceName),
    DeviceList = make_set(DeviceName, 5),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SampleCommandLine = take_any(ProcessCommandLine),
    SampleInitiatingProcess = take_any(InitiatingProcessFileName),
    MaxRisk = max(TotalRisk),
    HasNetworkActivity = max(NetworkConnections) > 0
    by FileName, SHA256, FolderPath, ProcessSignatureStatus
| where AffectedDevices < 5  // Low environmental prevalence — likely custom tooling
| order by MaxRisk desc, AffectedDevices asc

high severity low confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

Internal development teams executing locally compiled utilities or test binaries that have not yet been signed
Open-source or portable applications distributed without code signing (e.g., command-line utilities, Python scripts compiled with PyInstaller)
Legitimate penetration testing tools (Cobalt Strike, Metasploit, custom scripts) used by authorized red team engagements
Software distributed via internal package managers or deployment tools that bypasses standard code signing workflows
Vendor-supplied diagnostic utilities that are unsigned by design

Splunk

spl

| union
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7
  | where Signed="false" OR SignatureStatus IN ("Unavailable", "Invalid", "Expired")
  | where NOT match(ImageLoaded, "(?i)(C:\\\\Windows\\\\System32|C:\\\\Windows\\\\SysWOW64|C:\\\\Program Files|C:\\\\Windows\\\\WinSxS)")
  | eval EventType="ImageLoad", SuspiciousBinary=ImageLoaded, LoadingProcess=Image
  | fields _time, Computer, User, EventType, SuspiciousBinary, LoadingProcess, Signed, SignatureStatus, Hashes
],
[
  search index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | where match(Image, "(?i)(\\\\AppData\\\\Local\\\\Temp|\\\\Downloads|\\\\ProgramData|C:\\\\Temp)")
  | eval EventType="ProcessCreate", SuspiciousBinary=Image, LoadingProcess=ParentImage
  | fields _time, Computer, User, EventType, SuspiciousBinary, LoadingProcess, CommandLine, Hashes
]
| rex field=Hashes "SHA256=(?<SHA256>[A-Fa-f0-9]{64})"
| eval RiskScore=case(
    EventType=="ImageLoad" AND (SignatureStatus=="Invalid" OR SignatureStatus=="Expired"), 35,
    EventType=="ImageLoad" AND Signed=="false", 25,
    EventType=="ProcessCreate" AND match(SuspiciousBinary, "(?i)\\\\Temp\\\\"), 30,
    EventType=="ProcessCreate" AND match(SuspiciousBinary, "(?i)\\\\Downloads\\\\"), 25,
    true(), 10
)
| where RiskScore >= 25
| stats
    count as EventCount,
    dc(Computer) as UniqueHosts,
    values(Computer) as HostList,
    min(_time) as FirstSeen,
    max(_time) as LastSeen,
    values(User) as Users,
    values(LoadingProcess) as LoadingProcesses,
    max(RiskScore) as MaxRisk
    by SuspiciousBinary, SHA256, EventType
| where UniqueHosts < 5
| eval FirstSeen=strftime(FirstSeen, "%Y-%m-%d %H:%M:%S"), LastSeen=strftime(LastSeen, "%Y-%m-%d %H:%M:%S")
| sort - MaxRisk UniqueHosts
| table SuspiciousBinary, SHA256, EventType, UniqueHosts, HostList, Users, LoadingProcesses, EventCount, MaxRisk, FirstSeen, LastSeen

high severity low confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Portable open-source tools (nmap, Wireshark portable, Python executables) compiled without code signing
Developer workstations running locally built binaries during normal software development
IT automation scripts packaged as standalone executables (PyInstaller, pkg, nexe) without signing certificates
Vendor diagnostic or support tools distributed as unsigned binaries
Security research tools executed from analyst workstations during threat hunting exercises

Elastic Security (EQL)

eql

sequence by process.executable with maxspan=1h
  [process where event.type == "start"
    and not process.executable : ("C:\\Windows\\System32\\*", "C:\\Windows\\SysWOW64\\*", "C:\\Program Files\\*", "C:\\Program Files (x86)\\*", "C:\\Windows\\WinSxS\\*")
    and process.code_signature.trusted == false
    and (
      process.executable : "*\\AppData\\Local\\Temp\\*" or
      process.executable : "*\\Downloads\\*" or
      process.executable : "*\\ProgramData\\*" or
      process.executable : "C:\\Temp\\*" or
      process.executable : "C:\\Windows\\Temp\\*"
    )
  ] by process.pid
  [network where event.type == "connection" and not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8")
  ] by process.pid

high severity medium confidence

Data Sources

Elastic Endpoint Elastic Agent with Windows integration Sysmon via Filebeat

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* winlogbeat-*

False Positives

Legitimate developer toolchains (Go, Rust, Python) compiling and immediately running binaries from temp directories during CI/CD pipelines
Portable applications (e.g., PortableApps) executed from Downloads that reach out for update checks
Security scanning tools or penetration testing frameworks run from non-standard paths by authorised red team operators

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip,
  username,
  QIDNAME(qid) AS EventName,
  "Process Name" AS ProcessName,
  "Process Path" AS ProcessPath,
  "File Hash" AS SHA256Hash,
  "Signature Status" AS SignatureStatus,
  destinationip,
  destinationport,
  logsourceid,
  CATEGORYNAME(category) AS Category
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) IN (
    SELECT id FROM logsourcetypes WHERE name LIKE '%Sysmon%' OR name LIKE '%Windows%'
  )
  AND (
    (qid = 5145670 AND "Signed" = 'false')  -- Sysmon EventCode 7 ImageLoad unsigned
    OR
    (qid = 5145664  -- Sysmon EventCode 1 ProcessCreate
      AND (
        "Process Path" ILIKE '%\\AppData\\Local\\Temp\\%'
        OR "Process Path" ILIKE '%\\Downloads\\%'
        OR "Process Path" ILIKE '%\\ProgramData\\%'
        OR "Process Path" ILIKE 'C:\\Temp\\%'
        OR "Process Path" ILIKE 'C:\\Windows\\Temp\\%'
      )
      AND "Process Path" NOT ILIKE '%\\Windows\\System32\\%'
      AND "Process Path" NOT ILIKE '%\\Program Files%'
    )
  )
  AND starttime > NOW() - 86400000
GROUP BY sourceip, username, ProcessPath, SHA256Hash, SignatureStatus
HAVING COUNT(DISTINCT sourceip) < 5
ORDER BY EventTime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar with Windows Sysmon DSM Microsoft Windows Sysmon logs via QRadar WinCollect agent

Required Tables

events

False Positives

Legitimate portable utilities executed from user download directories on low-user-count hosts
Internal tooling deployed to a small subset of endpoints during staged rollouts
Pentest or red team tooling executed from temp paths during authorised engagements

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventCode" = "7" OR %"EventCode" = "1")
// Parse Sysmon fields
| parse field=%"Hashes" "SHA256=*" as SHA256 nodrop
| parse field=%"Image" "*" as ProcessImage nodrop
| parse field=%"ImageLoaded" "*" as ImageLoadedPath nodrop
// Normalize the binary path field
| if(%"EventCode" = "1", ProcessImage, ImageLoadedPath) as SuspiciousBinary
// Exclude standard system paths
| where !(SuspiciousBinary matches "(?i).*C:\\Windows\\System32.*"
  OR SuspiciousBinary matches "(?i).*C:\\Windows\\SysWOW64.*"
  OR SuspiciousBinary matches "(?i).*C:\\Program Files.*"
  OR SuspiciousBinary matches "(?i).*C:\\Windows\\WinSxS.*")
// Filter for suspicious locations or unsigned images
| where (SuspiciousBinary matches "(?i).*\\AppData\\Local\\Temp.*"
  OR SuspiciousBinary matches "(?i).*\\Downloads.*"
  OR SuspiciousBinary matches "(?i).*\\ProgramData.*"
  OR SuspiciousBinary matches "(?i).*C:\\Temp.*"
  OR SuspiciousBinary matches "(?i).*C:\\Windows\\Temp.*"
  OR %"Signed" = "false"
  OR %"SignatureStatus" in ("Invalid", "Expired", "Unavailable"))
// Risk scoring
| if(%"EventCode" = "7" AND (%"SignatureStatus" = "Invalid" OR %"SignatureStatus" = "Expired"), 35,
    if(%"EventCode" = "7" AND %"Signed" = "false", 25,
      if(%"EventCode" = "1" AND SuspiciousBinary matches "(?i).*\\Temp.*", 30,
        if(%"EventCode" = "1" AND SuspiciousBinary matches "(?i).*\\Downloads.*", 25, 10)
      )
    )
  ) as RiskScore
| where RiskScore >= 25
| stats
    count as EventCount,
    dc(%"Computer") as UniqueHosts,
    values(%"Computer") as HostList,
    min(_messageTime) as FirstSeen,
    max(_messageTime) as LastSeen,
    values(%"User") as Users,
    max(RiskScore) as MaxRisk
    by SuspiciousBinary, SHA256
| where UniqueHosts < 5
| formatDate(fromMillis(FirstSeen), "yyyy-MM-dd HH:mm:ss") as FirstSeenFmt
| formatDate(fromMillis(LastSeen), "yyyy-MM-dd HH:mm:ss") as LastSeenFmt
| fields SuspiciousBinary, SHA256, UniqueHosts, HostList, Users, EventCount, MaxRisk, FirstSeenFmt, LastSeenFmt
| sort by MaxRisk desc, UniqueHosts asc

high severity medium confidence

Data Sources

Windows Sysmon logs via Sumo Logic Installed Collector Sumo Logic Cloud SIEM Enterprise with Windows data source

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Developers running locally-compiled unsigned binaries from project temp directories
IT administrators running portable diagnostic or remediation tools from Downloads
Shadow IT applications (unlicensed but benign) run from user profile directories on endpoints with few users

Google Chronicle / SecOps

yaral

rule t1587_develop_capabilities_unsigned_exec {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects unsigned or untrusted executables running from non-standard paths, a second-order indicator of adversary custom-developed capabilities (T1587). Correlates process execution with outbound network activity to surface likely custom implants."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1587"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    $proc.principal.process.file.full_path != /(?i)(C:\\Windows\\System32|C:\\Windows\\SysWOW64|C:\\Program Files|C:\\Windows\\WinSxS)/
    (
      $proc.principal.process.file.full_path = /(?i)\\AppData\\Local\\Temp\\/
      or $proc.principal.process.file.full_path = /(?i)\\Downloads\\/
      or $proc.principal.process.file.full_path = /(?i)\\ProgramData\\/
      or $proc.principal.process.file.full_path = /(?i)C:\\Temp\\/
      or $proc.principal.process.file.full_path = /(?i)C:\\Windows\\Temp\\/
    )
    not $proc.principal.process.file.security_result.severity = "INFORMATIONAL"
    $proc.principal.hostname = $hostname
    $proc.principal.process.file.sha256 = $sha256

    $net.metadata.event_type = "NETWORK_CONNECTION"
    $net.principal.hostname = $hostname
    not $net.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
    $net.principal.process.file.sha256 = $sha256

  match:
    $hostname, $sha256 over 1h

  condition:
    $proc and $net
}

high severity medium confidence

Data Sources

Google Chronicle UDM Chronicle Endpoint Telemetry (via Forwarder) Windows Event logs ingested to Chronicle

Required Tables

PROCESS_LAUNCH UDM events NETWORK_CONNECTION UDM events

False Positives

Developers running unsigned build artifacts from temp directories with network calls to internal registries or APIs
Automated test frameworks executing portable binaries that call out to external test services
IT asset management or monitoring agents installed in non-standard locations performing routine cloud telemetry

CrowdStrike LogScale (CQL)

cql

// Step 1: Identify unsigned or low-trust process executions from suspicious paths
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\AppData\\Local\\Temp|\\Downloads|\\ProgramData|C:\\Temp|C:\\Windows\\Temp)/
| ImageFileName != /(?i)(C:\\Windows\\System32|C:\\Windows\\SysWOW64|C:\\Program Files|C:\\Windows\\WinSxS)/
| SignInfoFlags_decimal != 0  // Non-zero indicates signature issues (untrusted, unsigned, invalid)
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, SHA256HashData, TargetProcessId, SignInfoFlags_decimal])
| rename(field=SHA256HashData, as="ProcSHA256")

// Step 2: Join with outbound network connections to external IPs
| join(
    { #event_simpleName=NetworkConnectIP4
      | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.0)/
      | select([@timestamp, ComputerName, RemoteAddressIP4, RemotePort, LocalPort, TargetProcessId])
    },
    field=[ComputerName, TargetProcessId],
    include=[RemoteAddressIP4, RemotePort]
)

// Step 3: Aggregate and filter for low-prevalence binaries
| groupBy([ImageFileName, ProcSHA256], function=[
    count(ComputerName, distinct=true, as=UniqueHosts),
    count(as=EventCount),
    collect(ComputerName, limit=5, as=AffectedHosts),
    collect(UserName, limit=5, as=Users),
    collect(RemoteAddressIP4, limit=10, as=ExternalIPs),
    min(@timestamp, as=FirstSeen),
    max(@timestamp, as=LastSeen),
    take(CommandLine, as=SampleCommandLine)
  ]
)
| UniqueHosts < 5
| sort(UniqueHosts, order=asc)
| select([ImageFileName, ProcSHA256, UniqueHosts, EventCount, AffectedHosts, Users, ExternalIPs, SampleCommandLine, FirstSeen, LastSeen])

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon LogScale with Process and Network event ingestion

Required Tables

ProcessRollup2 NetworkConnectIP4

False Positives

Internal developer workstations running self-compiled unsigned tools during development cycles that reach external package registries
Legitimate third-party security tools (EDR, DLP agents) with non-standard installation paths making cloud telemetry calls
IT automation scripts deployed to a small pilot group of endpoints reaching cloud management APIs

Develop Capabilities

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Same Tactic: Resource Development

Popular Detections