Detect Exploits in CrowdStrike LogScale
Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities (T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. Documented threat actors leveraging this technique include Volt Typhoon (zero-day initial access), UNC3886 (CVE-2022-41328 FortiOS and CVE-2023-34048 VMware vCenter), and Leviathan, which rapidly adapts public PoC code for new vulnerabilities. Because this is a PRE-technique, the adversary action (exploit development) occurs outside the target environment — detection focuses on identifying exploit development tooling appearing on monitored endpoints, downstream exploitation artifacts, and fuzzing activity against internal services.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Sub-technique
- T1587.004 Exploits
- Canonical reference
- https://attack.mitre.org/techniques/T1587/004/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe|msfconsole\.exe|radare2\.exe|r2\.exe|cutter\.exe)$/ OR
CommandLine = /(?i)(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)/ OR
CommandLine = /(?i)(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)/ OR
CommandLine = /(?i)(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)/ OR
ImageFileName = /(?i)([\\/]metasploit|[\\/]exploit-db|[\\/]shellcode|[\\/]fuzzer|\.msf4)/
| eval DetectionCategory = case(
ImageFileName = /(?i)(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe)/, "Debugger/Disassembler",
CommandLine = /(?i)(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)/, "Fuzzing Framework",
CommandLine = /(?i)(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)/, "Shellcode Generation",
CommandLine = /(?i)(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)/, "Exploit Framework",
true(), "Exploit Tool Path"
)
| table([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, DetectionCategory])
| sort(timestamp, order=desc)CrowdStrike LogScale (Falcon CQL) query using ProcessRollup2 events to detect exploit development tooling. Matches Falcon telemetry ImageFileName and CommandLine fields against known debugger executables, fuzzing frameworks, shellcode utilities, and exploit framework patterns aligned with T1587.004. Uses CQL regex matching and case() for category assignment.
Data Sources
Required Tables
False Positives & Tuning
- Falcon-enrolled endpoints used by security engineers who run Metasploit or Cobalt Strike in authorized red team capacity without host exclusions
- Application developers using NASM or YASM as assemblers in normal build toolchains on developer workstations enrolled in Falcon
- Security awareness or CTF training programs running on Falcon-covered machines where participants use exploit tools as part of exercises
Other platforms for T1587.004
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1x64dbg Debugger Launch and Process Attachment
Expected signal: Sysmon Event ID 1: Process Create for notepad.exe followed by x64dbg.exe with -p <PID> in the CommandLine field. Sysmon Event ID 10 (ProcessAccess): x64dbg.exe accessing notepad.exe memory with GrantedAccess 0x1FFFFF or 0x001F0FFF. Security Event ID 4688 if command line auditing is enabled.
- Test 2msfvenom Shellcode Generation to Python Format
Expected signal: Sysmon for Linux (or auditd EXECVE) Process Create: msfvenom with full argument string '-p linux/x64/exec CMD=id -f python -o /tmp/df00tech-test-shellcode.py'. File creation event for /tmp/df00tech-test-shellcode.py (auditd syscall openat/creat). Ruby interpreter child processes spawned by msfvenom.
- Test 3Ropper ROP Gadget Search Against System DLL
Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'ropper' and '--file C:\Windows\System32\ntdll.dll'. File read access to ntdll.dll by the python/ropper process. PowerShell ScriptBlock Log Event ID 4104 if invoked from a PowerShell session.
- Test 4Boofuzz Network Fuzzer Initialization Against Local Service
Expected signal: Sysmon for Linux (or auditd) Process Create: python3 with a CommandLine containing 'boofuzz', 'Session', 'TCPSocketConnection'. Network connection attempt (Sysmon for Linux Event ID 3 or auditd socket syscall) to 127.0.0.1:9999 which will be refused. File read events for boofuzz Python module files.
- Test 5Metasploit Framework Console Version Check
Expected signal: Process Create for msfconsole with arguments '-q -x version; exit'. Child process creation for Metasploit's Ruby interpreter. Possible DNS queries for Metasploit update endpoint checks. Syslog/auditd EXECVE records for the full command. File access to ~/.msf4/ directory tree.
References (10)
- https://attack.mitre.org/techniques/T1587/004/
- https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
- https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-2023
- https://github.com/googleprojectzero/winafl
- https://github.com/sashs/Ropper
- https://github.com/jtpereyda/boofuzz
- https://docs.rapid7.com/metasploit/msf-overview/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1587.004/T1587.004.md
Unlock Pro Content
Get the full detection package for T1587.004 including response playbook, investigation guide, and atomic red team tests.