T1587.001 Splunk · SPL

Detect Malware in Splunk

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Because malware development occurs primarily on adversary-controlled infrastructure before deployment, defenders cannot directly observe this activity. Detection must pivot to identifying proxies: compilation and build tool activity on non-developer endpoints, use of known obfuscation and packing tools, characteristics of freshly compiled executables executing immediately after creation, and behavioral patterns consistent with malware testing (sandbox evasion checks, anti-analysis routines). Threat actors such as Lazarus Group, APT29, Sandworm, Kimsuky, and Indrik Spider are known to develop bespoke malware to avoid commodity detection signatures.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.001 Malware
Canonical reference
https://attack.mitre.org/techniques/T1587/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image=lower(Image)
| eval CommandLine=lower(CommandLine)
| eval ParentImage=lower(ParentImage)
| eval IsCompiler=if(match(Image, "(\\\\csc\.exe|\\\\vbc\.exe|\\\\msbuild\.exe|\\\\ilasm\.exe|\\\\cl\.exe|\\\\link\.exe)"), 1, 0)
| eval IsPacker=if(match(Image, "(\\\\upx\.exe|\\\\themida|\\\\vmprotect|\\\\pecompact|\\\\aspack|\\\\mpress)") OR match(CommandLine, "(upx\s|--best|--brute|\-\-ultra\-brute)"), 1, 0)
| eval IsObfuscator=if(match(Image, "(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard|codeprotector)") OR match(CommandLine, "(confuserex|obfuscar|dotfuscator|eazfuscator|dnguard)"), 1, 0)
| eval IsMsfvenom=if(match(CommandLine, "(msfvenom|msfconsole|shell_reverse_tcp|shell_bind_tcp|windows/meterpreter|linux/x86/meterpreter)"), 1, 0)
| eval IsNonIDEParent=if(NOT match(ParentImage, "(devenv\.exe|code\.exe|rider64\.exe|idea64\.exe|eclipsec\.exe|\\\\dotnet\.exe)"), 1, 0)
| eval SuspiciousOutputPath=if(match(CommandLine, "(\\\\temp\\\\|\\\\appdata\\\\local\\\\temp\\\\|\\\\users\\\\public\\\\|\\\\programdata\\\\)"), 1, 0)
| eval CompilerOnEndpoint=if(IsCompiler=1 AND IsNonIDEParent=1, 1, 0)
| eval MalwareDevScore=CompilerOnEndpoint + IsPacker + IsObfuscator + IsMsfvenom
| where MalwareDevScore > 0
| eval DetectionBranch=case(
    IsMsfvenom=1, "MsfvenomPayloadGeneration",
    IsObfuscator=1, "ObfuscatorUsage",
    IsPacker=1, "PackerProtectorUsage",
    CompilerOnEndpoint=1, "CompilerOnNonDevEndpoint",
    true(), "Unknown"
  )
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        DetectionBranch, CompilerOnEndpoint, IsPacker, IsObfuscator, IsMsfvenom,
        SuspiciousOutputPath, MalwareDevScore
| sort - _time
high severity low confidence

Detects proxy indicators for malware development activity using Sysmon Event ID 1 (Process Creation). Assigns a MalwareDevScore by evaluating four behavioral indicators: (1) compiler or build tool execution (csc.exe, msbuild.exe, vbc.exe, ilasm.exe) from non-IDE parents; (2) packer or protector tool execution including UPX with aggressive compression flags; (3) known .NET and native obfuscation tooling; (4) Metasploit msfvenom or related payload generation commands in the command line. DetectionBranch categorizes the alert type for analyst triage. SuspiciousOutputPath flags cases where output is directed to user-writable locations like Temp or ProgramData, increasing the likelihood of malicious intent.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate software developers running csc.exe, msbuild.exe, or vbc.exe for application development on general-purpose endpoints without a dedicated developer workstation baseline
  • IT automation and configuration management tools that compile scripts or produce binaries as part of deployment pipelines — especially MSBuild invocations from SCCM or build agents
  • Security researchers and red team members conducting authorized testing using Metasploit, packing tools, or obfuscators on approved lab machines
  • UPX-packed legitimate software where vendors ship pre-packed binaries and deployment scripts unpack them during installation
  • Build servers or CI/CD agents (Jenkins, GitLab Runner, Azure DevOps Agent) that run compilers and build tools as part of automated pipelines
Download portable Sigma rule (.yml)

Other platforms for T1587.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1On-System C# Payload Compilation via csc.exe

    Expected signal: Sysmon Event ID 1 (Process Create): Image=csc.exe, CommandLine containing '/out:' and path to %TEMP%, ParentImage=cmd.exe. Sysmon Event ID 11 (File Create): TargetFilename ending in df00tech_payload.exe in the Temp directory, initiated by csc.exe. Security Event ID 4688 (if command line auditing enabled) for the csc.exe invocation.

  2. Test 2Executable Packing with UPX

    Expected signal: Sysmon Event ID 1: Process Create for upx.exe with CommandLine containing '--best' and the target file path. Sysmon Event ID 11: File modification event on df00tech_target.exe as UPX rewrites the PE in-place. Sysmon Event ID 3: Network connection to GitHub for the UPX download (if not pre-staged).

  3. Test 3In-Memory C# Compilation via PowerShell Add-Type

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Add-Type', '-TypeDefinition', and 'CSharpCodeProvider' (internal). PowerShell ScriptBlock Log Event ID 4104 capturing the full Add-Type invocation including the embedded C# source. Temporary .dll files may be written to %TEMP% by the CodeDom compiler with random names before being loaded and deleted.

  4. Test 4Metasploit msfvenom Payload Generation Simulation

    Expected signal: Sysmon for Linux Event ID 1 (if deployed) or auditd execve records capturing the msfvenom command invocation. The string 'msfvenom' and 'reverse_tcp' in the command line are the primary indicators. If msfvenom is present and executes, an ELF binary is created in /tmp, triggering file creation events.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1587.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.002Code Signing CertificatesT1587.003Digital CertificatesT1587.004Exploits

Related Techniques

T1587Develop CapabilitiesT1587.002Code Signing CertificatesT1587.003Digital CertificatesT1027Obfuscated Files or InformationT1027.002Software PackingT1027.004Compile After DeliveryT1588.001MalwareT1059.001PowerShellT1055Process InjectionT1071Application Layer ProtocolT1140Deobfuscate/Decode Files or Information

Same Tactic: Resource Development

Popular Detections