Detect Develop Capabilities in Sumo Logic CSE
This detection identifies indicators that adversaries have deployed custom-developed capabilities within the target environment. Because T1587 (Develop Capabilities) occurs outside the victim network during the adversary lifecycle, direct detection is impossible; instead, this rule focuses on second-order indicators: unsigned or self-signed executables executing from non-standard paths, low-prevalence binaries making network connections, and novel tooling patterns associated with bespoke malware frameworks. Groups such as Kimsuky, Moonstone Sleet, and Contagious Interview are known to develop custom tools—including malicious NPM packages, spearphishing toolkits, and custom implants—that exhibit these characteristics upon deployment. The detection correlates signature anomalies, environmental prevalence, and behavioral signals to surface likely custom-developed tools used in targeted intrusions.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1587 Develop Capabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1587/
Sumo Detection Query
_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where (%"EventCode" = "7" OR %"EventCode" = "1")
// Parse Sysmon fields
| parse field=%"Hashes" "SHA256=*" as SHA256 nodrop
| parse field=%"Image" "*" as ProcessImage nodrop
| parse field=%"ImageLoaded" "*" as ImageLoadedPath nodrop
// Normalize the binary path field
| if(%"EventCode" = "1", ProcessImage, ImageLoadedPath) as SuspiciousBinary
// Exclude standard system paths
| where !(SuspiciousBinary matches "(?i).*C:\\Windows\\System32.*"
OR SuspiciousBinary matches "(?i).*C:\\Windows\\SysWOW64.*"
OR SuspiciousBinary matches "(?i).*C:\\Program Files.*"
OR SuspiciousBinary matches "(?i).*C:\\Windows\\WinSxS.*")
// Filter for suspicious locations or unsigned images
| where (SuspiciousBinary matches "(?i).*\\AppData\\Local\\Temp.*"
OR SuspiciousBinary matches "(?i).*\\Downloads.*"
OR SuspiciousBinary matches "(?i).*\\ProgramData.*"
OR SuspiciousBinary matches "(?i).*C:\\Temp.*"
OR SuspiciousBinary matches "(?i).*C:\\Windows\\Temp.*"
OR %"Signed" = "false"
OR %"SignatureStatus" in ("Invalid", "Expired", "Unavailable"))
// Risk scoring
| if(%"EventCode" = "7" AND (%"SignatureStatus" = "Invalid" OR %"SignatureStatus" = "Expired"), 35,
if(%"EventCode" = "7" AND %"Signed" = "false", 25,
if(%"EventCode" = "1" AND SuspiciousBinary matches "(?i).*\\Temp.*", 30,
if(%"EventCode" = "1" AND SuspiciousBinary matches "(?i).*\\Downloads.*", 25, 10)
)
)
) as RiskScore
| where RiskScore >= 25
| stats
count as EventCount,
dc(%"Computer") as UniqueHosts,
values(%"Computer") as HostList,
min(_messageTime) as FirstSeen,
max(_messageTime) as LastSeen,
values(%"User") as Users,
max(RiskScore) as MaxRisk
by SuspiciousBinary, SHA256
| where UniqueHosts < 5
| formatDate(fromMillis(FirstSeen), "yyyy-MM-dd HH:mm:ss") as FirstSeenFmt
| formatDate(fromMillis(LastSeen), "yyyy-MM-dd HH:mm:ss") as LastSeenFmt
| fields SuspiciousBinary, SHA256, UniqueHosts, HostList, Users, EventCount, MaxRisk, FirstSeenFmt, LastSeenFmt
| sort by MaxRisk desc, UniqueHosts ascDetects custom-developed tool deployment by identifying unsigned or invalidly-signed executables executing from non-standard user-writable paths via Sysmon EventCode 1 (Process Create) and EventCode 7 (Image Load). Applies risk scoring and filters to low-prevalence binaries across the environment to reduce noise from legitimate software. Designed for Sumo Logic CSE with Windows Sysmon log sources.
Data Sources
Required Tables
False Positives & Tuning
- Developers running locally-compiled unsigned binaries from project temp directories
- IT administrators running portable diagnostic or remediation tools from Downloads
- Shadow IT applications (unlicensed but benign) run from user profile directories on endpoints with few users
Other platforms for T1587
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Execute Self-Signed Binary from User-Writable Path (Windows)
Expected signal: DeviceProcessEvents: FileName=custom_capability_test.exe, ProcessSignatureStatus=SignedByUntrustedCertificate, FolderPath contains \AppData\Local\Temp. DeviceImageLoadEvents showing DLLs loaded with self-signed parent process.
- Test 2Deploy Malicious NPM Post-Install Script (Cross-Platform)
Expected signal: Sysmon EventCode=1 (Linux auditd execve): process spawned with ParentImage=/usr/bin/node, Image=/bin/sh or /bin/id. audit.log entries showing execve syscall from node process with working directory in node_modules path.
- Test 3Compile and Execute Custom ELF Binary with Network Connection (Linux)
Expected signal: auditd: EXECVE record for /tmp/atomic_custom_tool with ppid matching shell. SOCKADDR audit record showing connect() call to 192.0.2.1:4444. Sysmon for Linux EventCode=3 (Network Connect) if deployed. /proc/<pid>/exe pointing to /tmp path.
References (8)
- https://attack.mitre.org/techniques/T1587/
- https://www.mandiant.com/resources/apt1-exposing-one-of-chinas-cyber-espionage-units
- https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
- https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
- https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
- https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor/
- https://www.sentinelone.com/labs/contagious-interview-clickfix-reloaded-threat-actor-deploys-new-malware-via-fake-video-conferencing-apps/
- https://virusbulletin.com/virusbulletin/2019/10/kimsuky-apt-group/
Unlock Pro Content
Get the full detection package for T1587 including response playbook, investigation guide, and atomic red team tests.