Detect Exploits in Google Chronicle
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities (T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. Documented threat actors leveraging this technique include Volt Typhoon (zero-day initial access), UNC3886 (CVE-2022-41328 FortiOS and CVE-2023-34048 VMware vCenter), and Leviathan, which rapidly adapts public PoC code for new vulnerabilities. Because this is a PRE-technique, the adversary action (exploit development) occurs outside the target environment — detection focuses on identifying exploit development tooling appearing on monitored endpoints, downstream exploitation artifacts, and fuzzing activity against internal services.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.004 Exploits
- Canonical reference
- https://attack.mitre.org/techniques/T1587/004/
YARA-L Detection Query
rule t1587_004_exploit_dev_tooling {
meta:
author = "Argus Detection Engineering"
description = "Detects exploit development tooling execution indicative of T1587.004 - Develop Capabilities: Exploits"
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1587.004"
severity = "HIGH"
priority = "HIGH"
created = "2026-04-13"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
$e.principal.hostname != ""
(
re.regex($e.target.process.file.full_path, `(?i)(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe|msfconsole\.exe|radare2\.exe|cutter\.exe)`) or
re.regex($e.target.process.command_line, `(?i)(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)`) or
re.regex($e.target.process.command_line, `(?i)(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm\s|yasm\s)`) or
re.regex($e.target.process.command_line, `(?i)(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)`) or
re.regex($e.target.process.file.full_path, `(?i)([\\/]metasploit|[\\/]exploit-db|[\\/]shellcode|[\\/]fuzzer|\.msf4)`)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting exploit development tooling process launches using UDM process event fields. Matches against known debugger executables, fuzzing framework invocations, shellcode generation tools, and exploit framework command-line patterns to surface T1587.004 activity within Google Chronicle's unified data model.
Data Sources
Required Tables
False Positives & Tuning
- Security researchers at the organization running authorized exploit development on monitored endpoints without Chronicle exclusion rules
- Malware reverse engineering analysts using WinDbg or x64dbg routinely as part of their job function
- Red team engagements where tooling is executed from endpoints covered by Chronicle ingestion without a concurrent suppression rule
Other platforms for T1587.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1x64dbg Debugger Launch and Process Attachment
Expected signal: Sysmon Event ID 1: Process Create for notepad.exe followed by x64dbg.exe with -p <PID> in the CommandLine field. Sysmon Event ID 10 (ProcessAccess): x64dbg.exe accessing notepad.exe memory with GrantedAccess 0x1FFFFF or 0x001F0FFF. Security Event ID 4688 if command line auditing is enabled.
- Test 2msfvenom Shellcode Generation to Python Format
Expected signal: Sysmon for Linux (or auditd EXECVE) Process Create: msfvenom with full argument string '-p linux/x64/exec CMD=id -f python -o /tmp/df00tech-test-shellcode.py'. File creation event for /tmp/df00tech-test-shellcode.py (auditd syscall openat/creat). Ruby interpreter child processes spawned by msfvenom.
- Test 3Ropper ROP Gadget Search Against System DLL
Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'ropper' and '--file C:\Windows\System32\ntdll.dll'. File read access to ntdll.dll by the python/ropper process. PowerShell ScriptBlock Log Event ID 4104 if invoked from a PowerShell session.
- Test 4Boofuzz Network Fuzzer Initialization Against Local Service
Expected signal: Sysmon for Linux (or auditd) Process Create: python3 with a CommandLine containing 'boofuzz', 'Session', 'TCPSocketConnection'. Network connection attempt (Sysmon for Linux Event ID 3 or auditd socket syscall) to 127.0.0.1:9999 which will be refused. File read events for boofuzz Python module files.
- Test 5Metasploit Framework Console Version Check
Expected signal: Process Create for msfconsole with arguments '-q -x version; exit'. Child process creation for Metasploit's Ruby interpreter. Possible DNS queries for Metasploit update endpoint checks. Syslog/auditd EXECVE records for the full command. File access to ~/.msf4/ directory tree.
References (10)
- https://attack.mitre.org/techniques/T1587/004/
- https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
- https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-2023
- https://github.com/googleprojectzero/winafl
- https://github.com/sashs/Ropper
- https://github.com/jtpereyda/boofuzz
- https://docs.rapid7.com/metasploit/msf-overview/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.004/T1587.004.md
Unlock Pro Content
Get the full detection package for T1587.004 including response playbook, investigation guide, and atomic red team tests.