T1587.004 Sumo Logic CSE · Sumo

Detect Exploits in Sumo Logic CSE

Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities (T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. Documented threat actors leveraging this technique include Volt Typhoon (zero-day initial access), UNC3886 (CVE-2022-41328 FortiOS and CVE-2023-34048 VMware vCenter), and Leviathan, which rapidly adapts public PoC code for new vulnerabilities. Because this is a PRE-technique, the adversary action (exploit development) occurs outside the target environment — detection focuses on identifying exploit development tooling appearing on monitored endpoints, downstream exploitation artifacts, and fuzzing activity against internal services.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1587 Develop Capabilities
Sub-technique
T1587.004 Exploits
Canonical reference
https://attack.mitre.org/techniques/T1587/004/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon OR _sourceCategory=windows/security
| where EventCode = 1 OR EventID = 4688
| parse field=Message "Image: *\n" as ImagePath nodrop
| parse field=Message "CommandLine: *\n" as CommandLine nodrop
| parse field=Message "CurrentDirectory: *\n" as CurrentDirectory nodrop
| parse field=Message "ParentImage: *\n" as ParentImage nodrop
| eval ImageLower = toLowerCase(ImagePath)
| eval CommandLower = toLowerCase(CommandLine)
| eval DirLower = toLowerCase(CurrentDirectory)
| eval IsDebugger = if(
    ImageLower matches "*windbg.exe*" OR ImageLower matches "*x64dbg.exe*" OR
    ImageLower matches "*x32dbg.exe*" OR ImageLower matches "*ollydbg.exe*" OR
    ImageLower matches "*immunitydebugger.exe*" OR ImageLower matches "*immunity.exe*",
    1, 0)
| eval IsFuzzer = if(
    CommandLower matches "*winafl*" OR CommandLower matches "*afl-fuzz*" OR
    CommandLower matches "*boofuzz*" OR CommandLower matches "*peach.py*" OR
    CommandLower matches "*sulley*" OR CommandLower matches "*domato*" OR
    CommandLower matches "*honggfuzz*" OR CommandLower matches "*libfuzzer*",
    1, 0)
| eval IsShellcodeTool = if(
    CommandLower matches "*msfvenom*" OR CommandLower matches "*shellcraft*" OR
    CommandLower matches "*ropper*" OR CommandLower matches "*rp.exe*" OR
    CommandLower matches "*nasm*" OR CommandLower matches "*yasm*",
    1, 0)
| eval IsExploitFramework = if(
    CommandLower matches "*metasploit*" OR CommandLower matches "*msfconsole*" OR
    CommandLower matches "*pwntools*" OR CommandLower matches "*pwndbg*" OR
    DirLower matches "*.msf4*" OR DirLower matches "*exploit-db*" OR
    DirLower matches "*shellcode*" OR DirLower matches "*fuzzer*",
    1, 0)
| eval TotalScore = IsDebugger + IsFuzzer + IsShellcodeTool + IsExploitFramework
| where TotalScore > 0
| eval DetectionCategory = if(IsDebugger=1, "Debugger/Disassembler",
    if(IsFuzzer=1, "Fuzzing Framework",
    if(IsShellcodeTool=1, "Shellcode Generation",
    if(IsExploitFramework=1, "Exploit Framework", "Unclassified"))))
| fields _messageTime, host, User, ImagePath, CommandLine, ParentImage, DetectionCategory, TotalScore
| sort by _messageTime desc
high severity high confidence

Sumo Logic query detecting exploit development tooling via Sysmon EventCode 1 or Windows Security EventID 4688 process creation events. Parses image paths and command-line arguments to score and categorize activity across debuggers, fuzzers, shellcode tools, and exploit frameworks matching T1587.004 indicators.

Data Sources

Sumo Logic Installed Collector with Sysmon sourceWindows Security Event Log collectionSumo Logic Cloud SIEM (CSE) normalized process events

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • Security operations personnel running Metasploit Framework for authorized internal penetration tests
  • Malware analysts using debuggers (x64dbg, WinDbg) in sandboxed VMs whose logs flow to the SIEM
  • DevSecOps pipelines that include fuzzing stages (libFuzzer, honggfuzz) as part of CI/CD on developer workstations
Download portable Sigma rule (.yml)

Other platforms for T1587.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1x64dbg Debugger Launch and Process Attachment

    Expected signal: Sysmon Event ID 1: Process Create for notepad.exe followed by x64dbg.exe with -p <PID> in the CommandLine field. Sysmon Event ID 10 (ProcessAccess): x64dbg.exe accessing notepad.exe memory with GrantedAccess 0x1FFFFF or 0x001F0FFF. Security Event ID 4688 if command line auditing is enabled.

  2. Test 2msfvenom Shellcode Generation to Python Format

    Expected signal: Sysmon for Linux (or auditd EXECVE) Process Create: msfvenom with full argument string '-p linux/x64/exec CMD=id -f python -o /tmp/df00tech-test-shellcode.py'. File creation event for /tmp/df00tech-test-shellcode.py (auditd syscall openat/creat). Ruby interpreter child processes spawned by msfvenom.

  3. Test 3Ropper ROP Gadget Search Against System DLL

    Expected signal: Sysmon Event ID 1: Process Create for python.exe with CommandLine containing 'ropper' and '--file C:\Windows\System32\ntdll.dll'. File read access to ntdll.dll by the python/ropper process. PowerShell ScriptBlock Log Event ID 4104 if invoked from a PowerShell session.

  4. Test 4Boofuzz Network Fuzzer Initialization Against Local Service

    Expected signal: Sysmon for Linux (or auditd) Process Create: python3 with a CommandLine containing 'boofuzz', 'Session', 'TCPSocketConnection'. Network connection attempt (Sysmon for Linux Event ID 3 or auditd socket syscall) to 127.0.0.1:9999 which will be refused. File read events for boofuzz Python module files.

  5. Test 5Metasploit Framework Console Version Check

    Expected signal: Process Create for msfconsole with arguments '-q -x version; exit'. Child process creation for Metasploit's Ruby interpreter. Possible DNS queries for Metasploit update endpoint checks. Syslog/auditd EXECVE records for the full command. File access to ~/.msf4/ directory tree.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1587.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1587Develop Capabilities

Related Sub-techniques

T1587.001MalwareT1587.002Code Signing CertificatesT1587.003Digital Certificates

Related Techniques

T1587Develop CapabilitiesT1587.001MalwareT1588.005ExploitsT1588.006VulnerabilitiesT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1210Exploitation of Remote ServicesT1499.004Application or System ExploitationT1583Acquire Infrastructure

Same Tactic: Resource Development

Popular Detections