T1587.004 Microsoft Sentinel · KQL

Detect Exploits in Microsoft Sentinel

Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities (T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. Documented threat actors leveraging this technique include Volt Typhoon (zero-day initial access), UNC3886 (CVE-2022-41328 FortiOS and CVE-2023-34048 VMware vCenter), and Leviathan, which rapidly adapts public PoC code for new vulnerabilities. Because this is a PRE-technique, the adversary action (exploit development) occurs outside the target environment — detection focuses on identifying exploit development tooling appearing on monitored endpoints, downstream exploitation artifacts, and fuzzing activity against internal services.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.004 Exploits
Canonical reference
https://attack.mitre.org/techniques/T1587/004/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let ExploitDevTools = dynamic([
    "windbg.exe", "x64dbg.exe", "x32dbg.exe", "ollydbg.exe",
    "immunitydebugger.exe", "immunity.exe",
    "msfconsole.exe", "radare2.exe", "r2.exe", "cutter.exe"
]);
let FuzzingToolPatterns = dynamic([
    "winafl", "afl-fuzz", "boofuzz", "peach.py", "sulley",
    "domato", "honggfuzz", "libfuzzer"
]);
let ShellcodeToolPatterns = dynamic([
    "msfvenom", "shellcraft", "ropper", "rp.exe", "rp-win",
    "nasm", "yasm"
]);
let ExploitFrameworks = dynamic([
    "metasploit", "pwntools", "pwndbg",
    "peda.py", "gef.py"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (ExploitDevTools)
    or ProcessCommandLine has_any (ExploitDevTools)
    or ProcessCommandLine has_any (FuzzingToolPatterns)
    or ProcessCommandLine has_any (ShellcodeToolPatterns)
    or ProcessCommandLine has_any (ExploitFrameworks)
    or FolderPath has_any ("\\metasploit", "\\exploit-db", "\\shellcode", "\\fuzzer", "\.msf4")
| extend DetectionCategory = case(
    FileName has_any (ExploitDevTools) or ProcessCommandLine has_any (ExploitDevTools), "Debugger/Disassembler",
    ProcessCommandLine has_any (FuzzingToolPatterns), "Fuzzing Framework",
    ProcessCommandLine has_any (ShellcodeToolPatterns), "Shellcode Generation",
    ProcessCommandLine has_any (ExploitFrameworks), "Exploit Framework",
    FolderPath has_any ("\\metasploit", "\\exploit-db", "\\shellcode", "\\fuzzer", "\.msf4"), "Exploit Tool Path",
    "Unclassified"
)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         FolderPath, SHA256, DetectionCategory
| sort by Timestamp desc
high severity low confidence

Detects execution of exploit development tooling on monitored endpoints including interactive debuggers (WinDbg, x64dbg, OllyDbg, Immunity Debugger), fuzzing frameworks (AFL/WinAFL, Boofuzz, Honggfuzz), shellcode generation utilities (msfvenom, nasm, ropper), and exploit frameworks (Metasploit, pwntools). This detection targets the subset of T1587.004 cases where exploit development activity surfaces on monitored systems — either insider threat activity, unauthorized security research on production hosts, or adversary staging of exploit infrastructure. Confidence is set to low because T1587.004 is a PRE-technique occurring outside the victim environment and because these tools have significant legitimate use in authorized security research contexts.

Data Sources

Process: Process CreationFile: File AccessMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Authorized red team and penetration testers running these tools as part of a sanctioned engagement — cross-reference against your security testing register and approved device list
  • Software developers using WinDbg or x64dbg for legitimate application debugging and crash analysis on developer workstations
  • Security engineers building and testing detection rules using Metasploit or msfvenom against isolated lab environments
  • CTF (Capture The Flag) participants or security training students running exploit development labs on endpoints enrolled in the tenant
  • Security operations tooling (SIEM content development, detection validation) that invokes these tools programmatically in a controlled manner
Download portable Sigma rule (.yml)

Other platforms for T1587.004

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1x64dbg Debugger Launch and Process Attachment

    Expected signal: Sysmon Event ID 1: Process Create for notepad.exe followed by x64dbg.exe with -p <PID> in the CommandLine field. Sysmon Event ID 10 (ProcessAccess): x64dbg.exe accessing notepad.exe memory with GrantedAccess 0x1FFFFF or 0x001F0FFF. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2msfvenom Shellcode Generation to Python Format

    Expected signal: Sysmon for Linux (or auditd EXECVE) Process Create: msfvenom with full argument string '-p linux/x64/exec CMD=id -f python -o /tmp/df00tech-test-shellcode.py'. File creation event for /tmp/df00tech-test-shellcode.py (auditd syscall openat/creat). Ruby interpreter child processes spawned by msfvenom.

  3. Test 3Ropper ROP Gadget Search Against System DLL

    Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'ropper' and '--file C:\Windows\System32\ntdll.dll'. File read access to ntdll.dll by the python/ropper process. PowerShell ScriptBlock Log Event ID 4104 if invoked from a PowerShell session.

  4. Test 4Boofuzz Network Fuzzer Initialization Against Local Service

    Expected signal: Sysmon for Linux (or auditd) Process Create: python3 with a CommandLine containing 'boofuzz', 'Session', 'TCPSocketConnection'. Network connection attempt (Sysmon for Linux Event ID 3 or auditd socket syscall) to 127.0.0.1:9999 which will be refused. File read events for boofuzz Python module files.

  5. Test 5Metasploit Framework Console Version Check

    Expected signal: Process Create for msfconsole with arguments '-q -x version; exit'. Child process creation for Metasploit's Ruby interpreter. Possible DNS queries for Metasploit update endpoint checks. Syslog/auditd EXECVE records for the full command. File access to ~/.msf4/ directory tree.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1587.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.001MalwareT1587.002Code Signing CertificatesT1587.003Digital Certificates

Related Techniques

T1587Develop CapabilitiesT1587.001MalwareT1588.005ExploitsT1588.006VulnerabilitiesT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1210Exploitation of Remote ServicesT1499.004Application or System ExploitationT1583Acquire Infrastructure

Same Tactic: Resource Development

Popular Detections