T1587.001

Malware

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Because malware development occurs primarily on adversary-controlled infrastructure before deployment, defenders cannot directly observe this activity. Detection must pivot to identifying proxies: compilation and build tool activity on non-developer endpoints, use of known obfuscation and packing tools, characteristics of freshly compiled executables executing immediately after creation, and behavioral patterns consistent with malware testing (sandbox evasion checks, anti-analysis routines). Threat actors such as Lazarus Group, APT29, Sandworm, Kimsuky, and Indrik Spider are known to develop bespoke malware to avoid commodity detection signatures.

Microsoft Sentinel / Defender

kusto

let KnownCompilers = dynamic(["csc.exe", "vbc.exe", "msbuild.exe", "cl.exe", "link.exe", "rc.exe", "ilasm.exe", "csc.exe"]);
let KnownPackers = dynamic(["upx.exe", "upx", "themida", "enigmaprotector", "vmprotect", "pecompact", "aspack", "mpress"]);
let KnownObfuscators = dynamic(["confuserex", "obfuscar", "dotfuscator", ".netshrink", "reactornet", "codeprotector", "eazfuscator", "dnguard"]);
let MsfvEnomArtifacts = dynamic(["msfvenom", "msfconsole", "msfpayload", "metasploit", "msf_", "shell_reverse", "shell_bind"]);
let SuspiciousOutputPaths = dynamic(["\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\", "\\ProgramData\\"]);
// Branch 1: Compiler or build tool usage on endpoints not typical for development
let CompilerActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownCompilers)
| where InitiatingProcessFileName !in~ ("devenv.exe", "MSBuild.exe", "dotnet.exe", "code.exe", "rider64.exe", "idea64.exe")
| extend DetectionBranch = "CompilerOnEndpoint"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, SHA256, DetectionBranch;
// Branch 2: Known packer or protector tool execution
let PackerActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownPackers) or ProcessCommandLine has_any (KnownPackers)
| extend DetectionBranch = "PackerProtectorUsage"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, SHA256, DetectionBranch;
// Branch 3: Compile-then-execute pattern — new PE written then immediately run
let NewPEFiles = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (SuspiciousOutputPaths)
| where InitiatingProcessFileName has_any (KnownCompilers)
| project FileTimestamp=Timestamp, DeviceName, CreatedFile=FileName, FilePath=FolderPath, InitiatingProcessFileName;
let NewPEExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (SuspiciousOutputPaths);
let CompileAndExecute = NewPEFiles
| join kind=inner (NewPEExecution) on DeviceName
| where Timestamp between (FileTimestamp .. (FileTimestamp + 5min))
| where FileName == CreatedFile
| extend DetectionBranch = "CompileAndImmediateExecute"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         FilePath, DetectionBranch;
// Branch 4: Obfuscation tool usage
let ObfuscatorActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownObfuscators) or ProcessCommandLine has_any (KnownObfuscators)
| extend DetectionBranch = "ObfuscatorUsage"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, SHA256, DetectionBranch;
// Union all branches
CompilerActivity
| union PackerActivity
| union CompileAndExecute
| union ObfuscatorActivity
| sort by Timestamp desc

high severity low confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate software developers running csc.exe, msbuild.exe, or vbc.exe for application development on general-purpose endpoints without a dedicated developer workstation baseline
IT automation and configuration management tools (Ansible, Puppet, Chef) that compile scripts or produce binaries as part of deployment pipelines — especially MSBuild invocations from SCCM or build agents
Security researchers and red team members conducting authorized testing using Metasploit, packing tools, or obfuscators on approved lab machines
.NET runtime just-in-time compilation artifacts that may superficially resemble csc.exe activity in certain monitoring configurations
UPX-packed legitimate software where the vendor ships pre-packed binaries and deployment scripts unpack them during installation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
| eval IsCompiler=if(match(Image, "(\\\\csc\.exe|\\\\vbc\.exe|\\\\msbuild\.exe|\\\\ilasm\.exe|\\\\cl\.exe|\\\\link\.exe)"), 1, 0)
| eval IsPacker=if(match(Image, "(\\\\upx\.exe|\\\\themida|\\\\vmprotect|\\\\pecompact|\\\\aspack|\\\\mpress)") OR match(CommandLine, "(upx\s|--best|--brute|\-\-ultra\-brute)"), 1, 0)
| eval IsObfuscator=if(match(Image, "(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard|codeprotector)") OR match(CommandLine, "(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard)"), 1, 0)
| eval IsMsfvenom=if(match(CommandLine, "(msfvenom|msfconsole|shell_reverse_tcp|shell_bind_tcp|windows/meterpreter|linux/x86/meterpreter)"), 1, 0)
| eval IsNonIDEParent=if(NOT match(ParentImage, "(devenv\.exe|code\.exe|rider64\.exe|idea64\.exe|eclipsec\.exe|\\\\dotnet\.exe)"), 1, 0)
| eval SuspiciousOutputPath=if(match(CommandLine, "(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\)"), 1, 0)
| eval CompilerOnEndpoint=if(IsCompiler=1 AND IsNonIDEParent=1, 1, 0)
| eval MalwareDevScore=CompilerOnEndpoint + IsPacker + IsObfuscator + IsMsfvenom
| where MalwareDevScore > 0
| eval DetectionBranch=case(
    IsMsfvenom=1, "MsfvenomPayloadGeneration",
    IsObfuscator=1, "ObfuscatorUsage",
    IsPacker=1, "PackerProtectorUsage",
    CompilerOnEndpoint=1, "CompilerOnNonDevEndpoint",
    true(), "Unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionBranch, CompilerOnEndpoint, IsPacker, IsObfuscator, IsMsfvenom,
        SuspiciousOutputPath, MalwareDevScore
| sort - _time

high severity low confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate software developers running csc.exe, msbuild.exe, or vbc.exe for application development on general-purpose endpoints without a dedicated developer workstation baseline
IT automation and configuration management tools that compile scripts or produce binaries as part of deployment pipelines — especially MSBuild invocations from SCCM or build agents
Security researchers and red team members conducting authorized testing using Metasploit, packing tools, or obfuscators on approved lab machines
UPX-packed legitimate software where vendors ship pre-packed binaries and deployment scripts unpack them during installation
Build servers or CI/CD agents (Jenkins, GitLab Runner, Azure DevOps Agent) that run compilers and build tools as part of automated pipelines

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  username,
  "filename" AS process_image,
  "CommandLine" AS command_line,
  "ParentProcessName" AS parent_image,
  CASE
    WHEN LOWER("filename") MATCHES '(msfvenom|msfconsole)' OR LOWER("CommandLine") MATCHES '(shell_reverse_tcp|shell_bind_tcp|windows/meterpreter|linux/x86/meterpreter)' THEN 'MsfvenomPayloadGeneration'
    WHEN LOWER("filename") MATCHES '(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard|codeprotector)' OR LOWER("CommandLine") MATCHES '(confuserex|obfuscar|eazfuscator|dnguard)' THEN 'ObfuscatorUsage'
    WHEN LOWER("filename") MATCHES '(upx\.exe|themida|vmprotect|pecompact|aspack|mpress)' OR LOWER("CommandLine") MATCHES '(upx\s|--best|--brute|--ultra-brute)' THEN 'PackerProtectorUsage'
    WHEN LOWER("filename") MATCHES '(csc\.exe|vbc\.exe|msbuild\.exe|ilasm\.exe|cl\.exe|link\.exe)' AND NOT LOWER("ParentProcessName") MATCHES '(devenv\.exe|code\.exe|rider64\.exe|idea64\.exe|dotnet\.exe)' THEN 'CompilerOnNonDevEndpoint'
    ELSE 'Uncategorized'
  END AS detection_branch,
  LOGSOURCETYPENAME(logsourceid) AS log_source_type,
  logsourceid
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14)  -- Windows Security, Sysmon
  AND (QIDNAME(qid) = 'Process Create' OR EventID = '1' OR EventID = '4688')
  AND starttime > (NOW() - 86400000)
  AND (
    LOWER("filename") MATCHES '(csc\.exe|vbc\.exe|msbuild\.exe|ilasm\.exe|cl\.exe|link\.exe|rc\.exe|upx\.exe|themida|vmprotect|pecompact|aspack|mpress|confuserex|obfuscar|dotfuscator|eazfuscator|dnguard|msfvenom|msfconsole)'
    OR LOWER("CommandLine") MATCHES '(msfvenom|shell_reverse_tcp|shell_bind_tcp|windows/meterpreter|upx\s|--brute|--ultra-brute|confuserex|obfuscar|eazfuscator|dnguard)'
  )
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Windows Security Event Log (EventID 4688) Microsoft Sysmon (EventID 1) QRadar DSM for Windows

Required Tables

events

False Positives

Build servers and CI/CD agents running compilers as part of automated pipelines — filter by sourceip ranges corresponding to build infrastructure
IT admins running UPX to compress legitimate installers for deployment — filter by username against a known admin group
Penetration testing teams running Metasploit during authorized engagements — filter by time window and approved source IPs documented in change management

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID in ("1", "4688")
| parse field=CommandLine "*" as cmd_line nodrop
| parse field=Image "*" as image_path nodrop
| parse field=ParentImage "*" as parent_image nodrop
| eval image_lower = toLowerCase(image_path)
| eval cmd_lower = toLowerCase(cmd_line)
| eval parent_lower = toLowerCase(parent_image)
| eval is_compiler = if(image_lower matches ".*\\\\(csc|vbc|msbuild|ilasm|cl|link|rc)\.exe.*", 1, 0)
| eval is_packer = if(image_lower matches ".*\\\\(upx|themida|vmprotect|pecompact|aspack|mpress)\.exe.*" or cmd_lower matches ".*(upx\\s|--best|--brute|--ultra-brute).*", 1, 0)
| eval is_obfuscator = if(image_lower matches ".*(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard|codeprotector).*" or cmd_lower matches ".*(confuserex|obfuscar|eazfuscator|dnguard).*", 1, 0)
| eval is_msfvenom = if(cmd_lower matches ".*(msfvenom|msfconsole|shell_reverse_tcp|shell_bind_tcp|windows/meterpreter|linux/x86/meterpreter).*", 1, 0)
| eval is_non_ide_parent = if(!(parent_lower matches ".*(devenv|code|rider64|idea64|eclipsec|dotnet)\.exe.*"), 1, 0)
| eval suspicious_output = if(cmd_lower matches ".*(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\).*", 1, 0)
| eval compiler_on_endpoint = if(is_compiler = 1 and is_non_ide_parent = 1, 1, 0)
| eval malware_dev_score = compiler_on_endpoint + is_packer + is_obfuscator + is_msfvenom
| where malware_dev_score > 0
| eval detection_branch = if(is_msfvenom = 1, "MsfvenomPayloadGeneration",
    if(is_obfuscator = 1, "ObfuscatorUsage",
    if(is_packer = 1, "PackerProtectorUsage",
    if(compiler_on_endpoint = 1, "CompilerOnNonDevEndpoint", "Unknown"))))
| fields _messageTime, Computer, User, image_path, cmd_line, parent_image, detection_branch, malware_dev_score, suspicious_output
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon (via Sumo Logic Windows collector) Windows Security Event Log

Required Tables

Sysmon Process Create (EventID 1) Windows Security Process Create (EventID 4688)

False Positives

Developer workstations where CSC.exe or MSBuild.exe runs during dotnet CLI operations without a visible IDE parent — add known developer hostnames to an exclusion lookup
IT operations staff using UPX to compress self-extracting archives for software deployment packages
Security tooling that bundles Metasploit or similar frameworks for legitimate pen-test automation — scope by authorized host names or service accounts

Google Chronicle / SecOps

yaral

rule malware_development_tooling_t1587_001 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects malware development activity: compilers on non-dev endpoints, packer/protector usage, obfuscator execution, and Metasploit payload generation — MITRE T1587.001"
    mitre_attack_technique = "T1587.001"
    mitre_attack_tactic = "Resource Development"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-13"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $proc_path
    $e.target.process.command_line = $cmd_line
    $e.principal.process.file.full_path = $parent_path

    (
      // Branch 1: Compiler on non-dev endpoint
      (
        re.regex($proc_path, `(?i)(\\csc\.exe|\\vbc\.exe|\\msbuild\.exe|\\ilasm\.exe|\\cl\.exe|\\link\.exe|\\rc\.exe)$`)
        and not re.regex($parent_path, `(?i)(\\devenv\.exe|\\code\.exe|\\rider64\.exe|\\idea64\.exe|\\eclipsec\.exe|\\dotnet\.exe)$`)
      )
      or
      // Branch 2: Packer or protector execution
      (
        re.regex($proc_path, `(?i)(\\upx\.exe|\\themida\.exe|\\vmprotect\.exe|\\pecompact\.exe|\\aspack\.exe|\\mpress\.exe)$`)
        or re.regex($cmd_line, `(?i)(upx\s|--best|--brute|--ultra-brute)`)
      )
      or
      // Branch 3: Obfuscator execution
      (
        re.regex($proc_path, `(?i)(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard|codeprotector)`)
        or re.regex($cmd_line, `(?i)(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard)`)
      )
      or
      // Branch 4: Metasploit / msfvenom payload generation
      re.regex($cmd_line, `(?i)(msfvenom|msfconsole|shell_reverse_tcp|shell_bind_tcp|windows/meterpreter|linux/x86/meterpreter|msf_)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows endpoint telemetry via Chronicle forwarder Sysmon via Chronicle ingestion

Required Tables

UDM process events (PROCESS_LAUNCH)

False Positives

Build automation on CI agents where MSBuild or CSC runs without an IDE parent — apply reference list exclusion for known build agent hostnames
Security researchers using UPX or VMProtect on isolated lab machines — use asset criticality tags to suppress low-risk research hosts
Authorized red team infrastructure running Metasploit — coordinate time-boxed suppression rules with the red team schedule

CrowdStrike LogScale (CQL)

cql

// T1587.001 - Malware Development Tooling Detection
// Covers: compilers on non-dev endpoints, packers, obfuscators, Metasploit payload generation

#event_simpleName = ProcessRollup2
| eval ImageFileName_lower = lower(ImageFileName)
| eval CommandLine_lower = lower(CommandLine)
| eval ParentBaseFileName_lower = lower(ParentBaseFileName)

// Flag each detection branch
| eval is_compiler = if(match(ImageFileName_lower, "(csc\.exe|vbc\.exe|msbuild\.exe|ilasm\.exe|cl\.exe|link\.exe|rc\.exe)"), 1, 0)
| eval is_packer = if(match(ImageFileName_lower, "(upx\.exe|themida\.exe|vmprotect\.exe|pecompact\.exe|aspack\.exe|mpress\.exe)") or match(CommandLine_lower, "(upx\s|--best|--brute|--ultra-brute)"), 1, 0)
| eval is_obfuscator = if(match(ImageFileName_lower, "(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard|codeprotector)") or match(CommandLine_lower, "(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard)"), 1, 0)
| eval is_msfvenom = if(match(CommandLine_lower, "(msfvenom|msfconsole|shell_reverse_tcp|shell_bind_tcp|windows/meterpreter|linux/x86/meterpreter|msf_)"), 1, 0)
| eval is_non_ide_parent = if(not match(ParentBaseFileName_lower, "(devenv\.exe|code\.exe|rider64\.exe|idea64\.exe|eclipsec\.exe|dotnet\.exe)"), 1, 0)
| eval compiler_on_endpoint = if(is_compiler = 1 and is_non_ide_parent = 1, 1, 0)
| eval suspicious_path = if(match(CommandLine_lower, "(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\)"), 1, 0)
| eval malware_dev_score = compiler_on_endpoint + is_packer + is_obfuscator + is_msfvenom
| where malware_dev_score > 0
| eval detection_branch = case(
    is_msfvenom = 1, "MsfvenomPayloadGeneration",
    is_obfuscator = 1, "ObfuscatorUsage",
    is_packer = 1, "PackerProtectorUsage",
    compiler_on_endpoint = 1, "CompilerOnNonDevEndpoint",
    true, "Unknown"
  )
| table timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, detection_branch, malware_dev_score, suspicious_path, SHA256HashData
| sort timestamp desc

high severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) Falcon Data Replicator or Humio/LogScale ingestion

Required Tables

ProcessRollup2

False Positives

Windows CI/CD build agents running MSBuild or CSC without a GUI IDE parent — add known build agent ComputerName values to an exclusion reference list
Legitimate use of UPX by software vendors or IT packaging teams compressing installers in Temp directories prior to deployment
Authorized penetration testers using Metasploit framework on scoped test assets — apply time-limited suppression tied to engagement windows and host groups

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1587.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.002Code Signing Certificates T1587.003Digital Certificates T1587.004Exploits

Malware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections