Which SIEM platforms have a T1588 detection rule?

df00tech provides T1588 (Obtain Capabilities) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Obtain Capabilities (T1588)?

Detecting Obtain Capabilities requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1588 detection?

The T1588 detection is rated high severity with medium confidence.

What are common false positives for T1588?

Common false positives for T1588 include: Security researchers and red team operators running authorized assessments — certutil and PowerShell downloads are common in legitimate engagements; IT administrators staging software packages in Temp directories during patch cycles or manual deployments; Dual-use tools like ADExplorer, ProcDump, or BloodHound used by authorized IT/security teams for inventory and health assessments.

T1588: Obtain Capabilities — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

let LookbackDays = 7d;
let OffensiveToolKeywords = dynamic([
    "mimikatz", "cobalt", "cobaltstrike", "cs_beacon", "beacon",
    "meterpreter", "metasploit", "empire", "covenant", "sliver",
    "havoc", "brute_ratel", "nighthawk", "noctiluca", "mythic",
    "lazagne", "dumpert", "nanodump", "procdump64",
    "rubeus", "kerberoast", "asreproast", "certify", "certipy",
    "sharphound", "bloodhound", "adrecon", "adexplorer",
    "responder", "inveigh", "powerupsql", "mssqlpwner",
    "chisel", "ligolo", "frp", "plink", "ngrok"
]);
let SuspiciousStagingPaths = dynamic([
    "\\Temp\\", "\\tmp\\", "\\Downloads\\",
    "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\",
    "\\ProgramData\\", "\\Users\\Public\\"
]);
let LOLBinDownloaders = dynamic([
    "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
    "powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
    "cscript.exe", "regsvr32.exe", "rundll32.exe"
]);
// Branch 1: Known offensive tool name match in process name or command line
let ToolNameHits = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FileName has_any (OffensiveToolKeywords)
    or ProcessCommandLine has_any (OffensiveToolKeywords)
| extend DetectionBranch = "OffensiveToolNameMatch"
| extend RiskScore = case(
    FileName has_any ("mimikatz", "meterpreter", "cobalt", "beacon"), 100,
    FileName has_any ("rubeus", "certify", "certipy", "bloodhound", "sharphound"), 90,
    FileName has_any ("responder", "inveigh", "lazagne", "dumpert"), 85,
    FileName has_any ("chisel", "ligolo", "havoc", "sliver", "empire"), 80,
    ProcessCommandLine has_any ("mimikatz", "sekurlsa", "kerberos::ptt", "lsadump"), 100,
    ProcessCommandLine has_any ("rubeus", "kerberoast", "/nowrap", "asreproast"), 90,
    70
);
// Branch 2: LOLBin downloaders staging to suspicious paths
let LOLBinDownloads = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FileName in~ (LOLBinDownloaders)
| where ProcessCommandLine has_any (SuspiciousStagingPaths)
    and (ProcessCommandLine has "http" or ProcessCommandLine has "ftp" or ProcessCommandLine has "urlcache" or ProcessCommandLine has "-split" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "DownloadString" or ProcessCommandLine has "WebClient")
| extend DetectionBranch = "LOLBinCapabilityDownload"
| extend RiskScore = case(
    ProcessCommandLine has "certutil" and ProcessCommandLine has "urlcache", 85,
    ProcessCommandLine has "bitsadmin" and ProcessCommandLine has "/transfer", 85,
    ProcessCommandLine has_any ("DownloadFile", "DownloadString", "IEX", "Invoke-Expression"), 90,
    75
);
// Branch 3: Execution from staging paths by non-standard parent
let StagingPathExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FolderPath has_any (SuspiciousStagingPaths)
| where InitiatingProcessFileName !in~ ("explorer.exe", "msiexec.exe", "setup.exe", "install.exe", "update.exe", "teams.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| where FileName !endswith ".tmp"
| extend DetectionBranch = "StagingPathExecution"
| extend RiskScore = 65;
union ToolNameHits, LOLBinDownloads, StagingPathExecution
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, RiskScore
| sort by RiskScore desc, Timestamp desc

Detects potential capability acquisition activity across three branches: (1) execution of processes matching known offensive tool names or command-line patterns, (2) living-off-the-land binaries (certutil, bitsadmin, PowerShell) performing downloads to suspicious staging directories, and (3) binary execution from non-standard paths like Temp and Downloads when launched by non-browser parent processes. Each branch is scored by risk level to prioritize analyst review.

high severity medium confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Security researchers and red team operators running authorized assessments — certutil and PowerShell downloads are common in legitimate engagements
IT administrators staging software packages in Temp directories during patch cycles or manual deployments
Dual-use tools like ADExplorer, ProcDump, or BloodHound used by authorized IT/security teams for inventory and health assessments
Developer workstations cloning security tool repositories from GitHub for research or tooling review
Penetration testing firms with approved assessments whose infrastructure overlaps with known offensive tool signatures

Splunk

spl

index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval offensive_tool_match=if(
    match(lower(Image), "mimikatz|meterpreter|cobalt|beacon|rubeus|bloodhound|sharphound|certify|certipy|responder|inveigh|lazagne|sliver|havoc|empire|covenant|chisel|ligolo|procdump|dumpert|nanodump|nltest|adrecon")
    OR match(lower(CommandLine), "mimikatz|sekurlsa|kerberos::ptt|lsadump|kerberoast|asreproast|dcsync|invoke-mimikatz|invoke-kerberoast|get-adreplication|sharphound|bloodhound"),
    1, 0
)
| eval lolbin_download=if(
    match(lower(Image), "certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe")
    AND match(lower(CommandLine), "http|ftp|urlcache|transfer|\.zip|\.exe|\.dll|\.ps1"),
    1, 0
)
| eval ps_download=if(
    match(lower(Image), "powershell\.exe|pwsh\.exe")
    AND match(lower(CommandLine), "downloadfile|downloadstring|webclient|invoke-webrequest|iwr|start-bitstransfer|iex|invoke-expression"),
    1, 0
)
| eval staging_path_exec=if(
    match(lower(Image), "\\temp\\|\\tmp\\|\\downloads\\|\\appdata\\local\\temp\\|\\users\\public\\|\\programdata\\")
    AND NOT match(lower(ParentImage), "explorer\.exe|msiexec\.exe|setup\.exe|chrome\.exe|msedge\.exe|firefox\.exe|teams\.exe"),
    1, 0
)
| where offensive_tool_match=1 OR lolbin_download=1 OR ps_download=1 OR staging_path_exec=1
| eval risk_score=case(
    offensive_tool_match=1 AND match(lower(CommandLine), "mimikatz|meterpreter|sekurlsa|lsadump"), 100,
    offensive_tool_match=1 AND match(lower(CommandLine), "rubeus|certify|bloodhound|kerberoast"), 90,
    offensive_tool_match=1, 80,
    ps_download=1 AND match(lower(CommandLine), "iex|invoke-expression|downloadstring"), 85,
    lolbin_download=1 AND match(lower(CommandLine), "certutil.*urlcache|bitsadmin.*transfer"), 80,
    ps_download=1, 70,
    lolbin_download=1, 70,
    staging_path_exec=1, 60,
    true(), 50
)
| eval detection_branch=case(
    offensive_tool_match=1, "OffensiveToolNameMatch",
    lolbin_download=1, "LOLBinCapabilityDownload",
    ps_download=1, "PowerShellDownload",
    staging_path_exec=1, "StagingPathExecution",
    true(), "Unknown"
)
| stats max(risk_score) as max_risk, count as event_count, values(Image) as processes, values(CommandLine) as commands, values(detection_branch) as branches, dc(Computer) as host_count by User, Computer
| where max_risk >= 60
| sort -max_risk

Correlates Sysmon process creation events (EventCode=1) to detect four patterns of capability acquisition: named offensive tool matches in image path or command line, LOLBin-based capability downloads (certutil, bitsadmin), PowerShell download cradle usage, and execution from staging directories by non-standard parent processes. Risk scoring prioritizes known malware/framework names at the top.

high severity medium confidence

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Security teams running authorized red team or vulnerability assessment exercises with known tools
PowerShell download cradles used by legitimate software installers and update mechanisms (e.g., Chocolatey, winget scripts, IT automation)
Certutil used by PKI administrators for certificate operations and legitimate software packaging workflows
Security researchers examining offensive tools in sandboxed lab environments
Backup and monitoring agents that temporarily stage executables in AppData or ProgramData paths during updates

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : ("mimikatz.exe", "rubeus.exe", "cobalt*", "meterpreter*", "psexec.exe",
                      "sharphound.exe", "bloodhound.exe", "crackmapexec.py", "impacket*")
  or process.command_line : ("*-enc *", "*invoke-mimikatz*", "*invoke-bloodhound*")

Elastic EQL detection for Obtain Capabilities. Detects potential capability acquisition activity across three branches: (1) execution of processes matching known offensive tool names or command-line patterns, (2) living-off-the-land binaries (cert

high severity medium confidence

Data Sources

Elastic Endpoint Security Process events

Required Tables

logs-endpoint.events.process.*

False Positives

Authorized penetration testers using offensive security tools
Red team exercises using commercial security testing tools
Security researchers analyzing offensive tools in isolated environments
IT administrators using legitimate dual-use network tools for troubleshooting

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  "ParentImage" AS ParentProcess,
  CASE
    WHEN "Image" ILIKE '%mimikatz%' OR "CommandLine" ILIKE '%invoke-mimikatz%' THEN 100
    WHEN "Image" ILIKE '%cobalt%' OR "Image" ILIKE '%meterpreter%' THEN 95
    WHEN "Image" ILIKE '%bloodhound%' OR "Image" ILIKE '%sharphound%' THEN 85
    WHEN "CommandLine" ILIKE '%-enc %' OR "CommandLine" ILIKE '%bypass%' THEN 70
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%mimikatz%' THEN 'Credential Dumping Tool'
    WHEN "Image" ILIKE '%cobalt%' THEN 'C2 Framework'
    WHEN "Image" ILIKE '%bloodhound%' THEN 'AD Recon Tool'
    ELSE 'Offensive Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%mimikatz%' OR "Image" ILIKE '%rubeus%' OR "Image" ILIKE '%bloodhound%'
    OR "Image" ILIKE '%sharphound%' OR "Image" ILIKE '%cobalt%' OR "Image" ILIKE '%meterpreter%'
    OR "CommandLine" ILIKE '%invoke-mimikatz%' OR "CommandLine" ILIKE '%invoke-bloodhound%'
    OR "CommandLine" ILIKE '%-encoded %' OR "CommandLine" ILIKE '%-enc %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

QRadar AQL detection for Obtain Capabilities. Detects potential capability acquisition activity across three branches: (1) execution of processes matching known offensive tool names or command-line patterns, (2) living-off-the-land binaries (cert

high severity medium confidence

Data Sources

Sysmon Event ID 1 Windows Security Event Log

Required Tables

events

False Positives

Authorized penetration testing using offensive security tools
Red team exercises using dual-use security tools
Security researchers analyzing offensive tools in isolated labs
IT administrators using dual-use tools for authorized troubleshooting

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval CommandLower = lower(CommandLine)
| eval ImageLower = lower(Image)
| where matches(ImageLower, "mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket")
   or matches(CommandLower, "invoke-mimikatz|invoke-bloodhound|-encoded |-enc |bypass")
| eval ToolCategory = if(matches(ImageLower, "mimikatz"), "Credential Dumping",
    if(matches(ImageLower, "bloodhound|sharphound"), "AD Reconnaissance",
    if(matches(ImageLower, "cobalt|meterpreter"), "C2 Framework", "Offensive Tool")))
| eval RiskScore = if(ToolCategory = "Credential Dumping", 100,
    if(ToolCategory = "C2 Framework", 95,
    if(ToolCategory = "AD Reconnaissance", 85, 70)))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

Sumo Logic detection for Obtain Capabilities. Detects potential capability acquisition activity across three branches: (1) execution of processes matching known offensive tool names or command-line patterns, (2) living-off-the-land binaries (cert

high severity medium confidence

Data Sources

Sysmon Event ID 1

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized penetration testers running scheduled security assessments
Red team exercises using commercial offensive security tooling
Security researchers analyzing malware in isolated lab environments
Network administrators using dual-use tools for authorized diagnostics

Google Chronicle / SecOps

yaral

rule T1588_offensive_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of known offensive security tools"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1588"
    reference = "https://attack.mitre.org/techniques/T1588/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket)`) or
      re.regex($e.target.process.command_line, `(?i)(invoke-mimikatz|invoke-bloodhound|\-enc\s|\-encoded\s|bypass)`)
    )

  condition:
    $e
}

Google Chronicle YARA-L 2.0 detection for Obtain Capabilities. Detects potential capability acquisition activity across three branches: (1) execution of processes matching known offensive tool names or command-line patterns, (2) living-off-the-land binaries (cert

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Authorized penetration testing engagements using commercial offensive tools
Internal red team exercises with pre-approved scope and tooling
Security researchers analyzing offensive capabilities in isolated lab environments
IT administrators using dual-use network tools for authorized diagnostics

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket)/
  OR CommandLine = /(?i)(invoke-mimikatz|invoke-bloodhound|\-enc\s|\-encoded\s|bypass)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(mimikatz|rubeus)/ => ToolCategory := "Credential Harvesting"; RiskScore := "Critical";
    ImageFileName = /(?i)(bloodhound|sharphound)/ => ToolCategory := "AD Recon"; RiskScore := "High";
    ImageFileName = /(?i)(cobalt|meterpreter)/ => ToolCategory := "C2 Framework"; RiskScore := "Critical";
    CommandLine = /(?i)(invoke-mimikatz)/ => ToolCategory := "Credential Harvesting"; RiskScore := "Critical";
    * => ToolCategory := "Offensive Tool"; RiskScore := "High";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

CrowdStrike LogScale (Falcon) CQL detection for Obtain Capabilities. Detects potential capability acquisition activity across three branches: (1) execution of processes matching known offensive tool names or command-line patterns, (2) living-off-the-land binaries (cert

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Authorized penetration testing engagements using approved offensive tooling
Internal red team exercises with documented and approved scope
Security researchers in isolated environments analyzing offensive tool capabilities
IT administrators using dual-use network diagnostic tools for authorized tasks

Obtain Capabilities

What is T1588 Obtain Capabilities?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1588

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (7)

Related Techniques

Same Tactic: Resource Development

Popular Detections

What is T1588 Obtain Capabilities?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1588

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (7)

Related Techniques

Same Tactic: Resource Development

Popular Detections

Get new detections in your inbox