T1587.004 IBM QRadar · QRadar

Detect Exploits in IBM QRadar

Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities (T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. Documented threat actors leveraging this technique include Volt Typhoon (zero-day initial access), UNC3886 (CVE-2022-41328 FortiOS and CVE-2023-34048 VMware vCenter), and Leviathan, which rapidly adapts public PoC code for new vulnerabilities. Because this is a PRE-technique, the adversary action (exploit development) occurs outside the target environment — detection focuses on identifying exploit development tooling appearing on monitored endpoints, downstream exploitation artifacts, and fuzzing activity against internal services.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.004 Exploits
Canonical reference
https://attack.mitre.org/techniques/T1587/004/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS Username,
  "hostname" AS Hostname,
  "Application" AS ProcessName,
  "Command" AS CommandLine,
  CATEGORYNAME(category) AS Category,
  CASE
    WHEN LOWER("Application") MATCHES '(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe)' THEN 'Debugger/Disassembler'
    WHEN LOWER("Command") MATCHES '(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)' THEN 'Fuzzing Framework'
    WHEN LOWER("Command") MATCHES '(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)' THEN 'Shellcode Generation'
    WHEN LOWER("Command") MATCHES '(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)' THEN 'Exploit Framework'
    ELSE 'Exploit Tool Path'
  END AS DetectionCategory
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND starttime > NOW() - 86400000
  AND (
    LOWER("Application") MATCHES '(windbg\.exe|x64dbg\.exe|x32dbg\.exe|ollydbg\.exe|immunitydebugger\.exe|immunity\.exe|msfconsole\.exe|radare2\.exe|r2\.exe|cutter\.exe)'
    OR LOWER("Command") MATCHES '(winafl|afl-fuzz|boofuzz|peach\.py|sulley|domato|honggfuzz|libfuzzer)'
    OR LOWER("Command") MATCHES '(msfvenom|shellcraft|ropper|rp\.exe|rp-win|nasm|yasm)'
    OR LOWER("Command") MATCHES '(metasploit|msfconsole|pwntools|pwndbg|peda\.py|gef\.py)'
    OR LOWER("Command") MATCHES '(\.msf4|exploit-db|shellcode|fuzzer)'
  )
ORDER BY starttime DESC
LAST 24 HOURS
high severity medium confidence

AQL query against QRadar events to detect exploit development tooling execution across Windows endpoint log sources. Matches process names and command-line arguments for known debuggers, fuzzers, shellcode generators, and exploit frameworks. Categories are assigned via CASE logic for triage prioritization.

Data Sources

Windows Security Event Log via WinCollectSysmon via WinCollect or Universal DSMMicrosoft Windows Security Event Log DSM

Required Tables

events

False Positives & Tuning

  • Authorized red team operators executing penetration tests without proper log exclusion filters applied
  • Vulnerability research teams using fuzzing infrastructure on isolated lab machines that route through the monitored network
  • IT security training programs (SANS, Offensive Security) using these tools during coursework on corporate-provisioned devices
Download portable Sigma rule (.yml)

Other platforms for T1587.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1x64dbg Debugger Launch and Process Attachment

    Expected signal: Sysmon Event ID 1: Process Create for notepad.exe followed by x64dbg.exe with -p <PID> in the CommandLine field. Sysmon Event ID 10 (ProcessAccess): x64dbg.exe accessing notepad.exe memory with GrantedAccess 0x1FFFFF or 0x001F0FFF. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2msfvenom Shellcode Generation to Python Format

    Expected signal: Sysmon for Linux (or auditd EXECVE) Process Create: msfvenom with full argument string '-p linux/x64/exec CMD=id -f python -o /tmp/df00tech-test-shellcode.py'. File creation event for /tmp/df00tech-test-shellcode.py (auditd syscall openat/creat). Ruby interpreter child processes spawned by msfvenom.

  3. Test 3Ropper ROP Gadget Search Against System DLL

    Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'ropper' and '--file C:\Windows\System32\ntdll.dll'. File read access to ntdll.dll by the python/ropper process. PowerShell ScriptBlock Log Event ID 4104 if invoked from a PowerShell session.

  4. Test 4Boofuzz Network Fuzzer Initialization Against Local Service

    Expected signal: Sysmon for Linux (or auditd) Process Create: python3 with a CommandLine containing 'boofuzz', 'Session', 'TCPSocketConnection'. Network connection attempt (Sysmon for Linux Event ID 3 or auditd socket syscall) to 127.0.0.1:9999 which will be refused. File read events for boofuzz Python module files.

  5. Test 5Metasploit Framework Console Version Check

    Expected signal: Process Create for msfconsole with arguments '-q -x version; exit'. Child process creation for Metasploit's Ruby interpreter. Possible DNS queries for Metasploit update endpoint checks. Syslog/auditd EXECVE records for the full command. File access to ~/.msf4/ directory tree.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1587.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.001MalwareT1587.002Code Signing CertificatesT1587.003Digital Certificates

Related Techniques

T1587Develop CapabilitiesT1587.001MalwareT1588.005ExploitsT1588.006VulnerabilitiesT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1210Exploitation of Remote ServicesT1499.004Application or System ExploitationT1583Acquire Infrastructure

Same Tactic: Resource Development

Popular Detections