T1588 Obtain Capabilities Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LookbackDays = 7d;
let OffensiveToolKeywords = dynamic([
    "mimikatz", "cobalt", "cobaltstrike", "cs_beacon", "beacon",
    "meterpreter", "metasploit", "empire", "covenant", "sliver",
    "havoc", "brute_ratel", "nighthawk", "noctiluca", "mythic",
    "lazagne", "dumpert", "nanodump", "procdump64",
    "rubeus", "kerberoast", "asreproast", "certify", "certipy",
    "sharphound", "bloodhound", "adrecon", "adexplorer",
    "responder", "inveigh", "powerupsql", "mssqlpwner",
    "chisel", "ligolo", "frp", "plink", "ngrok"
]);
let SuspiciousStagingPaths = dynamic([
    "\\Temp\\", "\\tmp\\", "\\Downloads\\",
    "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\",
    "\\ProgramData\\", "\\Users\\Public\\"
]);
let LOLBinDownloaders = dynamic([
    "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
    "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
    "cscript.exe", "regsvr32.exe", "rundll32.exe"
]);
// Branch 1: Known offensive tool name match in process name or command line
let ToolNameHits = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FileName has_any (OffensiveToolKeywords)
    or ProcessCommandLine has_any (OffensiveToolKeywords)
| extend DetectionBranch = "OffensiveToolNameMatch"
| extend RiskScore = case(
    FileName has_any ("mimikatz", "meterpreter", "cobalt", "beacon"), 100,
    FileName has_any ("rubeus", "certify", "certipy", "bloodhound", "sharphound"), 90,
    FileName has_any ("responder", "inveigh", "lazagne", "dumpert"), 85,
    FileName has_any ("chisel", "ligolo", "havoc", "sliver", "empire"), 80,
    ProcessCommandLine has_any ("mimikatz", "sekurlsa", "kerberos::ptt", "lsadump"), 100,
    ProcessCommandLine has_any ("rubeus", "kerberoast", "/nowrap", "asreproast"), 90,
    70
);
// Branch 2: LOLBin downloaders staging to suspicious paths
let LOLBinDownloads = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FileName in~ (LOLBinDownloaders)
| where ProcessCommandLine has_any (SuspiciousStagingPaths)
    and (ProcessCommandLine has "http" or ProcessCommandLine has "ftp" or ProcessCommandLine has "urlcache" or ProcessCommandLine has "-split" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "DownloadString" or ProcessCommandLine has "WebClient")
| extend DetectionBranch = "LOLBinCapabilityDownload"
| extend RiskScore = case(
    ProcessCommandLine has "certutil" and ProcessCommandLine has "urlcache", 85,
    ProcessCommandLine has "bitsadmin" and ProcessCommandLine has "/transfer", 85,
    ProcessCommandLine has_any ("DownloadFile", "DownloadString", "IEX", "Invoke-Expression"), 90,
    75
);
// Branch 3: Execution from staging paths by non-standard parent
let StagingPathExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FolderPath has_any (SuspiciousStagingPaths)
| where InitiatingProcessFileName !in~ ("explorer.exe", "msiexec.exe", "setup.exe", "install.exe", "update.exe", "teams.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| where FileName !endswith ".tmp"
| extend DetectionBranch = "StagingPathExecution"
| extend RiskScore = 65;
union ToolNameHits, LOLBinDownloads, StagingPathExecution
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, RiskScore
| sort by RiskScore desc, Timestamp desc

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Security researchers and red team operators running authorized assessments — certutil and PowerShell downloads are common in legitimate engagements
IT administrators staging software packages in Temp directories during patch cycles or manual deployments
Dual-use tools like ADExplorer, ProcDump, or BloodHound used by authorized IT/security teams for inventory and health assessments
Developer workstations cloning security tool repositories from GitHub for research or tooling review
Penetration testing firms with approved assessments whose infrastructure overlaps with known offensive tool signatures

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval offensive_tool_match=if(
    match(lower(Image), "mimikatz|meterpreter|cobalt|beacon|rubeus|bloodhound|sharphound|certify|certipy|responder|inveigh|lazagne|sliver|havoc|empire|covenant|chisel|ligolo|procdump|dumpert|nanodump|nltest|adrecon")
    OR match(lower(CommandLine), "mimikatz|sekurlsa|kerberos::ptt|lsadump|kerberoast|asreproast|dcsync|invoke-mimikatz|invoke-kerberoast|get-adreplication|sharphound|bloodhound"),
    1, 0
)
| eval lolbin_download=if(
    match(lower(Image), "certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe")
    AND match(lower(CommandLine), "http|ftp|urlcache|transfer|\.zip|\.exe|\.dll|\.ps1"),
    1, 0
)
| eval ps_download=if(
    match(lower(Image), "powershell\.exe|pwsh\.exe")
    AND match(lower(CommandLine), "downloadfile|downloadstring|webclient|invoke-webrequest|iwr|start-bitstransfer|iex|invoke-expression"),
    1, 0
)
| eval staging_path_exec=if(
    match(lower(Image), "\\temp\\|\\tmp\\|\\downloads\\|\\appdata\\local\\temp\\|\\users\\public\\|\\programdata\\")
    AND NOT match(lower(ParentImage), "explorer\.exe|msiexec\.exe|setup\.exe|chrome\.exe|msedge\.exe|firefox\.exe|teams\.exe"),
    1, 0
)
| where offensive_tool_match=1 OR lolbin_download=1 OR ps_download=1 OR staging_path_exec=1
| eval risk_score=case(
    offensive_tool_match=1 AND match(lower(CommandLine), "mimikatz|meterpreter|sekurlsa|lsadump"), 100,
    offensive_tool_match=1 AND match(lower(CommandLine), "rubeus|certify|bloodhound|kerberoast"), 90,
    offensive_tool_match=1, 80,
    ps_download=1 AND match(lower(CommandLine), "iex|invoke-expression|downloadstring"), 85,
    lolbin_download=1 AND match(lower(CommandLine), "certutil.*urlcache|bitsadmin.*transfer"), 80,
    ps_download=1, 70,
    lolbin_download=1, 70,
    staging_path_exec=1, 60,
    true(), 50
)
| eval detection_branch=case(
    offensive_tool_match=1, "OffensiveToolNameMatch",
    lolbin_download=1, "LOLBinCapabilityDownload",
    ps_download=1, "PowerShellDownload",
    staging_path_exec=1, "StagingPathExecution",
    true(), "Unknown"
)
| stats max(risk_score) as max_risk, count as event_count, values(Image) as processes, values(CommandLine) as commands, values(detection_branch) as branches, dc(Computer) as host_count by User, Computer
| where max_risk >= 60
| sort -max_risk

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security teams running authorized red team or vulnerability assessment exercises with known tools
PowerShell download cradles used by legitimate software installers and update mechanisms (e.g., Chocolatey, winget scripts, IT automation)
Certutil used by PKI administrators for certificate operations and legitimate software packaging workflows
Security researchers examining offensive tools in sandboxed lab environments
Backup and monitoring agents that temporarily stage executables in AppData or ProgramData paths during updates

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : ("mimikatz.exe", "rubeus.exe", "cobalt*", "meterpreter*", "psexec.exe",
                      "sharphound.exe", "bloodhound.exe", "crackmapexec.py", "impacket*")
  or process.command_line : ("*-enc *", "*invoke-mimikatz*", "*invoke-bloodhound*")

high severity medium confidence

Data Sources

Elastic Endpoint Security Process events

Required Tables

logs-endpoint.events.process.*

False Positives

Authorized penetration testers using offensive security tools
Red team exercises using commercial security testing tools
Security researchers analyzing offensive tools in isolated environments
IT administrators using legitimate dual-use network tools for troubleshooting

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  "ParentImage" AS ParentProcess,
  CASE
    WHEN "Image" ILIKE '%mimikatz%' OR "CommandLine" ILIKE '%invoke-mimikatz%' THEN 100
    WHEN "Image" ILIKE '%cobalt%' OR "Image" ILIKE '%meterpreter%' THEN 95
    WHEN "Image" ILIKE '%bloodhound%' OR "Image" ILIKE '%sharphound%' THEN 85
    WHEN "CommandLine" ILIKE '%-enc %' OR "CommandLine" ILIKE '%bypass%' THEN 70
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%mimikatz%' THEN 'Credential Dumping Tool'
    WHEN "Image" ILIKE '%cobalt%' THEN 'C2 Framework'
    WHEN "Image" ILIKE '%bloodhound%' THEN 'AD Recon Tool'
    ELSE 'Offensive Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%mimikatz%' OR "Image" ILIKE '%rubeus%' OR "Image" ILIKE '%bloodhound%'
    OR "Image" ILIKE '%sharphound%' OR "Image" ILIKE '%cobalt%' OR "Image" ILIKE '%meterpreter%'
    OR "CommandLine" ILIKE '%invoke-mimikatz%' OR "CommandLine" ILIKE '%invoke-bloodhound%'
    OR "CommandLine" ILIKE '%-encoded %' OR "CommandLine" ILIKE '%-enc %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 1 Windows Security Event Log

Required Tables

events

False Positives

Authorized penetration testing using offensive security tools
Red team exercises using dual-use security tools
Security researchers analyzing offensive tools in isolated labs
IT administrators using dual-use tools for authorized troubleshooting

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval CommandLower = lower(CommandLine)
| eval ImageLower = lower(Image)
| where matches(ImageLower, "mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket")
   or matches(CommandLower, "invoke-mimikatz|invoke-bloodhound|-encoded |-enc |bypass")
| eval ToolCategory = if(matches(ImageLower, "mimikatz"), "Credential Dumping",
    if(matches(ImageLower, "bloodhound|sharphound"), "AD Reconnaissance",
    if(matches(ImageLower, "cobalt|meterpreter"), "C2 Framework", "Offensive Tool")))
| eval RiskScore = if(ToolCategory = "Credential Dumping", 100,
    if(ToolCategory = "C2 Framework", 95,
    if(ToolCategory = "AD Reconnaissance", 85, 70)))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

high severity medium confidence

Data Sources

Sysmon Event ID 1

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized penetration testers running scheduled security assessments
Red team exercises using commercial offensive security tooling
Security researchers analyzing malware in isolated lab environments
Network administrators using dual-use tools for authorized diagnostics

Google Chronicle / SecOps

yaral

rule T1588_offensive_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of known offensive security tools"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1588"
    reference = "https://attack.mitre.org/techniques/T1588/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket)`) or
      re.regex($e.target.process.command_line, `(?i)(invoke-mimikatz|invoke-bloodhound|\-enc\s|\-encoded\s|bypass)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Authorized penetration testing engagements using commercial offensive tools
Internal red team exercises with pre-approved scope and tooling
Security researchers analyzing offensive capabilities in isolated lab environments
IT administrators using dual-use network tools for authorized diagnostics

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket)/
  OR CommandLine = /(?i)(invoke-mimikatz|invoke-bloodhound|\-enc\s|\-encoded\s|bypass)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(mimikatz|rubeus)/ => ToolCategory := "Credential Harvesting"; RiskScore := "Critical";
    ImageFileName = /(?i)(bloodhound|sharphound)/ => ToolCategory := "AD Recon"; RiskScore := "High";
    ImageFileName = /(?i)(cobalt|meterpreter)/ => ToolCategory := "C2 Framework"; RiskScore := "Critical";
    CommandLine = /(?i)(invoke-mimikatz)/ => ToolCategory := "Credential Harvesting"; RiskScore := "Critical";
    * => ToolCategory := "Offensive Tool"; RiskScore := "High";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Authorized penetration testing engagements using approved offensive tooling
Internal red team exercises with documented and approved scope
Security researchers in isolated environments analyzing offensive tool capabilities
IT administrators using dual-use network diagnostic tools for authorized tasks

Obtain Capabilities

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (7)

Same Tactic: Resource Development

Popular Detections