T1587.004 Exploits Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ExploitDevTools = dynamic([
    "windbg.exe", "x64dbg.exe", "x32dbg.exe", "ollydbg.exe",
    "immunitydebugger.exe", "immunity.exe",
    "msfconsole.exe", "radare2.exe", "r2.exe", "cutter.exe"
]);
let FuzzingToolPatterns = dynamic([
    "winafl", "afl-fuzz", "boofuzz", "peach.py", "sulley",
    "domato", "honggfuzz", "libfuzzer"
]);
let ShellcodeToolPatterns = dynamic([
    "msfvenom", "shellcraft", "ropper", "rp.exe", "rp-win",
    "nasm", "yasm"
]);
let ExploitFrameworks = dynamic([
    "metasploit", "pwntools", "pwndbg",
    "peda.py", "gef.py"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ExploitDevTools)
    or ProcessCommandLine has_any (ExploitDevTools)
    or ProcessCommandLine has_any (FuzzingToolPatterns)
    or ProcessCommandLine has_any (ShellcodeToolPatterns)
    or ProcessCommandLine has_any (ExploitFrameworks)
    or FolderPath has_any ("\\metasploit", "\\exploit-db", "\\shellcode", "\\fuzzer", "\.msf4")
| extend DetectionCategory = case(
    FileName has_any (ExploitDevTools) or ProcessCommandLine has_any (ExploitDevTools), "Debugger/Disassembler",
    ProcessCommandLine has_any (FuzzingToolPatterns), "Fuzzing Framework",
    ProcessCommandLine has_any (ShellcodeToolPatterns), "Shellcode Generation",
    ProcessCommandLine has_any (ExploitFrameworks), "Exploit Framework",
    FolderPath has_any ("\\metasploit", "\\exploit-db", "\\shellcode", "\\fuzzer", "\.msf4"), "Exploit Tool Path",
    "Unclassified"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, SHA256, DetectionCategory
| sort by Timestamp desc

high severity low confidence

Data Sources

Process: Process Creation File: File Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Authorized red team and penetration testers running these tools as part of a sanctioned engagement — cross-reference against your security testing register and approved device list
Software developers using WinDbg or x64dbg for legitimate application debugging and crash analysis on developer workstations
Security engineers building and testing detection rules using Metasploit or msfvenom against isolated lab environments
CTF (Capture The Flag) participants or security training students running exploit development labs on endpoints enrolled in the tenant
Security operations tooling (SIEM content development, detection validation) that invokes these tools programmatically in a controlled manner

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image), CommandLine_lower=lower(CommandLine), FolderPath_lower=lower(CurrentDirectory)
| eval IsDebugger=if(
    match(Image_lower, "(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe)") OR
    match(CommandLine_lower, "(windbg|x64dbg|x32dbg|ollydbg|immunitydebugger)"),
    1, 0)
| eval IsFuzzer=if(
    match(CommandLine_lower, "(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)"),
    1, 0)
| eval IsShellcodeTool=if(
    match(CommandLine_lower, "(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)"),
    1, 0)
| eval IsExploitFramework=if(
    match(CommandLine_lower, "(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)") OR
    match(FolderPath_lower, "(\.msf4|exploit-db|shellcode|fuzzer)"),
    1, 0)
| eval ExploitDevScore=IsDebugger + IsFuzzer + IsShellcodeTool + IsExploitFramework
| where ExploitDevScore > 0
| eval DetectionCategory=case(
    IsDebugger=1, "Debugger/Disassembler",
    IsFuzzer=1, "Fuzzing Framework",
    IsShellcodeTool=1, "Shellcode Generation",
    IsExploitFramework=1, "Exploit Framework",
    1=1, "Unclassified")
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionCategory, ExploitDevScore
| sort - _time

high severity low confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized red team and penetration testing operators on approved security workstations
Software developers using WinDbg, x64dbg, or similar debuggers for crash analysis and application testing
Security engineers validating detections or developing content using Metasploit or msfvenom against lab targets
CTF participants and security training students on lab endpoints enrolled in the tenant
Build pipeline or CI/CD systems running nasm or yasm for legitimate low-level software compilation

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [process where event.type == "start" and (
    process.name in ("windbg.exe", "x64dbg.exe", "x32dbg.exe", "ollydbg.exe", "immunitydebugger.exe", "immunity.exe", "msfconsole.exe", "radare2.exe", "r2.exe", "cutter.exe") or
    process.args : ("winafl", "afl-fuzz", "boofuzz", "peach.py", "sulley", "domato", "honggfuzz", "libfuzzer") or
    process.args : ("msfvenom", "shellcraft", "ropper", "rp.exe", "rp-win", "nasm", "yasm") or
    process.args : ("metasploit", "pwntools", "pwndbg", "peda.py", "gef.py") or
    process.executable : ("*\\metasploit*", "*\\exploit-db*", "*\\shellcode*", "*\\fuzzer*", "*\.msf4*")
  )]
| where process.pid > 0

high severity high confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Auditbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-* auditbeat-*

False Positives

Legitimate security researchers and penetration testers running authorized assessments on corporate endpoints
Software developers using debugging tools (WinDbg, x64dbg) for legitimate application development and crash analysis
Academic or training environments where exploit development courses are conducted on managed endpoints

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "hostname" AS Hostname,
  "Application" AS ProcessName,
  "Command" AS CommandLine,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN LOWER("Application") MATCHES '(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe)' THEN 'Debugger/Disassembler'
    WHEN LOWER("Command") MATCHES '(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)' THEN 'Fuzzing Framework'
    WHEN LOWER("Command") MATCHES '(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)' THEN 'Shellcode Generation'
    WHEN LOWER("Command") MATCHES '(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)' THEN 'Exploit Framework'
    ELSE 'Exploit Tool Path'
  END AS DetectionCategory
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    LOWER("Application") MATCHES '(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe|msfconsole\.exe|radare2\.exe|r2\.exe|cutter\.exe)'
    OR LOWER("Command") MATCHES '(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)'
    OR LOWER("Command") MATCHES '(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)'
    OR LOWER("Command") MATCHES '(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)'
    OR LOWER("Command") MATCHES '(\.msf4|exploit-db|shellcode|fuzzer)'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log via WinCollect Sysmon via WinCollect or Universal DSM Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Authorized red team operators executing penetration tests without proper log exclusion filters applied
Vulnerability research teams using fuzzing infrastructure on isolated lab machines that route through the monitored network
IT security training programs (SANS, Offensive Security) using these tools during coursework on corporate-provisioned devices

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode = 1 OR EventID = 4688
| parse field=Message "Image: *\n" as ImagePath nodrop
| parse field=Message "CommandLine: *\n" as CommandLine nodrop
| parse field=Message "CurrentDirectory: *\n" as CurrentDirectory nodrop
| parse field=Message "ParentImage: *\n" as ParentImage nodrop
| eval ImageLower = toLowerCase(ImagePath)
| eval CommandLower = toLowerCase(CommandLine)
| eval DirLower = toLowerCase(CurrentDirectory)
| eval IsDebugger = if(
    ImageLower matches "*windbg.exe*" OR ImageLower matches "*x64dbg.exe*" OR
    ImageLower matches "*x32dbg.exe*" OR ImageLower matches "*ollydbg.exe*" OR
    ImageLower matches "*immunitydebugger.exe*" OR ImageLower matches "*immunity.exe*",
    1, 0)
| eval IsFuzzer = if(
    CommandLower matches "*winafl*" OR CommandLower matches "*afl-fuzz*" OR
    CommandLower matches "*boofuzz*" OR CommandLower matches "*peach.py*" OR
    CommandLower matches "*sulley*" OR CommandLower matches "*domato*" OR
    CommandLower matches "*honggfuzz*" OR CommandLower matches "*libfuzzer*",
    1, 0)
| eval IsShellcodeTool = if(
    CommandLower matches "*msfvenom*" OR CommandLower matches "*shellcraft*" OR
    CommandLower matches "*ropper*" OR CommandLower matches "*rp.exe*" OR
    CommandLower matches "*nasm*" OR CommandLower matches "*yasm*",
    1, 0)
| eval IsExploitFramework = if(
    CommandLower matches "*metasploit*" OR CommandLower matches "*msfconsole*" OR
    CommandLower matches "*pwntools*" OR CommandLower matches "*pwndbg*" OR
    DirLower matches "*.msf4*" OR DirLower matches "*exploit-db*" OR
    DirLower matches "*shellcode*" OR DirLower matches "*fuzzer*",
    1, 0)
| eval TotalScore = IsDebugger + IsFuzzer + IsShellcodeTool + IsExploitFramework
| where TotalScore > 0
| eval DetectionCategory = if(IsDebugger=1, "Debugger/Disassembler",
    if(IsFuzzer=1, "Fuzzing Framework",
    if(IsShellcodeTool=1, "Shellcode Generation",
    if(IsExploitFramework=1, "Exploit Framework", "Unclassified"))))
| fields _messageTime, host, User, ImagePath, CommandLine, ParentImage, DetectionCategory, TotalScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Sysmon source Windows Security Event Log collection Sumo Logic Cloud SIEM (CSE) normalized process events

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Security operations personnel running Metasploit Framework for authorized internal penetration tests
Malware analysts using debuggers (x64dbg, WinDbg) in sandboxed VMs whose logs flow to the SIEM
DevSecOps pipelines that include fuzzing stages (libFuzzer, honggfuzz) as part of CI/CD on developer workstations

Google Chronicle / SecOps

yaral

rule t1587_004_exploit_dev_tooling {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects exploit development tooling execution indicative of T1587.004 - Develop Capabilities: Exploits"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1587.004"
    severity = "HIGH"
    priority = "HIGH"
    created = "2026-04-13"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname != ""

    (
      re.regex($e.target.process.file.full_path, `(?i)(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe|msfconsole\.exe|radare2\.exe|cutter\.exe)`) or
      re.regex($e.target.process.command_line, `(?i)(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)`) or
      re.regex($e.target.process.command_line, `(?i)(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm\s|yasm\s)`) or
      re.regex($e.target.process.command_line, `(?i)(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)`) or
      re.regex($e.target.process.file.full_path, `(?i)([\\/]metasploit|[\\/]exploit-db|[\\/]shellcode|[\\/]fuzzer|\.msf4)`)
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM via Forwarder Windows Endpoint telemetry ingested to Chronicle EDR/XDR data normalized to UDM PROCESS_LAUNCH events

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Security researchers at the organization running authorized exploit development on monitored endpoints without Chronicle exclusion rules
Malware reverse engineering analysts using WinDbg or x64dbg routinely as part of their job function
Red team engagements where tooling is executed from endpoints covered by Chronicle ingestion without a concurrent suppression rule

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe|msfconsole\.exe|radare2\.exe|r2\.exe|cutter\.exe)$/ OR
  CommandLine = /(?i)(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)/ OR
  CommandLine = /(?i)(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)/ OR
  CommandLine = /(?i)(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)/ OR
  ImageFileName = /(?i)([\\/]metasploit|[\\/]exploit-db|[\\/]shellcode|[\\/]fuzzer|\.msf4)/
| eval DetectionCategory = case(
    ImageFileName = /(?i)(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe)/, "Debugger/Disassembler",
    CommandLine = /(?i)(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)/, "Fuzzing Framework",
    CommandLine = /(?i)(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)/, "Shellcode Generation",
    CommandLine = /(?i)(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)/, "Exploit Framework",
    true(), "Exploit Tool Path"
  )
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])
| sort(timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) Falcon Data Replicator (FDR) streamed to LogScale Falcon Insight XDR process telemetry

Required Tables

ProcessRollup2

False Positives

Falcon-enrolled endpoints used by security engineers who run Metasploit or Cobalt Strike in authorized red team capacity without host exclusions
Application developers using NASM or YASM as assemblers in normal build toolchains on developer workstations enrolled in Falcon
Security awareness or CTF training programs running on Falcon-covered machines where participants use exploit tools as part of exercises

Exploits

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections