Detect Develop Capabilities in Google Chronicle
This detection identifies indicators that adversaries have deployed custom-developed capabilities within the target environment. Because T1587 (Develop Capabilities) occurs outside the victim network during the adversary lifecycle, direct detection is impossible; instead, this rule focuses on second-order indicators: unsigned or self-signed executables executing from non-standard paths, low-prevalence binaries making network connections, and novel tooling patterns associated with bespoke malware frameworks. Groups such as Kimsuky, Moonstone Sleet, and Contagious Interview are known to develop custom tools—including malicious NPM packages, spearphishing toolkits, and custom implants—that exhibit these characteristics upon deployment. The detection correlates signature anomalies, environmental prevalence, and behavioral signals to surface likely custom-developed tools used in targeted intrusions.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1587/
YARA-L Detection Query
rule t1587_develop_capabilities_unsigned_exec {
meta:
author = "Argus Detection Engineering"
description = "Detects unsigned or untrusted executables running from non-standard paths, a second-order indicator of adversary custom-developed capabilities (T1587). Correlates process execution with outbound network activity to surface likely custom implants."
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1587"
severity = "HIGH"
priority = "HIGH"
events:
$proc.metadata.event_type = "PROCESS_LAUNCH"
$proc.principal.process.file.full_path != /(?i)(C:\\Windows\\System32|C:\\Windows\\SysWOW64|C:\\Program Files|C:\\Windows\\WinSxS)/
(
$proc.principal.process.file.full_path = /(?i)\\AppData\\Local\\Temp\\/
or $proc.principal.process.file.full_path = /(?i)\\Downloads\\/
or $proc.principal.process.file.full_path = /(?i)\\ProgramData\\/
or $proc.principal.process.file.full_path = /(?i)C:\\Temp\\/
or $proc.principal.process.file.full_path = /(?i)C:\\Windows\\Temp\\/
)
not $proc.principal.process.file.security_result.severity = "INFORMATIONAL"
$proc.principal.hostname = $hostname
$proc.principal.process.file.sha256 = $sha256
$net.metadata.event_type = "NETWORK_CONNECTION"
$net.principal.hostname = $hostname
not $net.target.ip = /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.)/
$net.principal.process.file.sha256 = $sha256
match:
$hostname, $sha256 over 1h
condition:
$proc and $net
}Chronicle YARA-L 2.0 rule detecting unsigned executables launched from non-standard paths that subsequently make outbound external network connections. Uses UDM event correlation over a 1-hour window joining PROCESS_LAUNCH and NETWORK_CONNECTION events by host and process SHA256 hash, surfacing likely custom-developed implants characteristic of T1587 post-deployment behavior.
Data Sources
Required Tables
False Positives & Tuning
- Developers running unsigned build artifacts from temp directories with network calls to internal registries or APIs
- Automated test frameworks executing portable binaries that call out to external test services
- IT asset management or monitoring agents installed in non-standard locations performing routine cloud telemetry
Other platforms for T1587
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Self-Signed Binary from User-Writable Path (Windows)
Expected signal: DeviceProcessEvents: FileName=custom_capability_test.exe, ProcessSignatureStatus=SignedByUntrustedCertificate, FolderPath contains \AppData\Local\Temp. DeviceImageLoadEvents showing DLLs loaded with self-signed parent process.
- Test 2Deploy Malicious NPM Post-Install Script (Cross-Platform)
Expected signal: Sysmon EventCode=1 (Linux auditd execve): process spawned with ParentImage=/usr/bin/node, Image=/bin/sh or /bin/id. audit.log entries showing execve syscall from node process with working directory in node_modules path.
- Test 3Compile and Execute Custom ELF Binary with Network Connection (Linux)
Expected signal: auditd: EXECVE record for /tmp/atomic_custom_tool with ppid matching shell. SOCKADDR audit record showing connect() call to 192.0.2.1:4444. Sysmon for Linux EventCode=3 (Network Connect) if deployed. /proc/<pid>/exe pointing to /tmp path.
References (8)
- https://attack.mitre.org/techniques/T1587/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
- https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
- https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor/
- https://www.sentinelone.com/labs/contagious-interview-clickfix-reloaded-threat-actor-deploys-new-malware-via-fake-video-conferencing-apps/
- https://virusbulletin.com/virusbulletin/2019/10/kimsuky-apt-group/
Unlock Pro Content
Get the full detection package for T1587 including response playbook, investigation guide, and atomic red team tests.