T1588.001

Malware

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.

Microsoft Sentinel / Defender

kusto

// T1588.001 — Acquired Malware Detection
// Detection pivots to observable indicators of commodity/acquired malware in use within the environment,
// since the acquisition itself occurs externally. Covers security alerts, behavioral process patterns,
// C2 network signatures, and file artifacts consistent with known commodity malware families.
let KnownMalwareFamilies = dynamic([
    "cobalt strike", "cobaltstrike", "cobalt_strike",
    "njrat", "nj rat", "njw0rm",
    "azorult", "a-zorult", "azor",
    "redline", "redlinestealer", "red line",
    "quasar", "quasarrat",
    "asyncrat", "async rat",
    "nanocore", "nano core",
    "remcos", "remcosrat",
    "darkcomet", "dark comet",
    "lokibot", "loki bot",
    "formbook", "form book",
    "agent tesla", "agentTesla",
    "meterpreter", "metasploit",
    "emotet", "trickbot", "icedid",
    "blackcat", "alphv", "lockbit"
]);
let SuspiciousLOLBinC2Ports = dynamic([4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777]);
// Branch 1: Microsoft Defender / Sentinel security alerts matching known commodity malware families
let Branch1_MalwareAlerts = SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertSeverity in ("High", "Medium")
| where AlertName has_any (KnownMalwareFamilies)
    or Description has_any (KnownMalwareFamilies)
    or Entities has_any (KnownMalwareFamilies)
| extend MalwareFamily = case(
    AlertName has "cobalt" or Description has "cobalt", "Cobalt Strike",
    AlertName has "njrat" or Description has "njrat", "njRAT",
    AlertName has "azorult" or Description has "azorult", "Azorult",
    AlertName has "redline" or Description has "redline", "RedLine Stealer",
    AlertName has "quasar" or Description has "quasar", "QuasarRAT",
    AlertName has "asyncrat" or Description has "asyncrat", "AsyncRAT",
    AlertName has "nanocore" or Description has "nanocore", "NanoCore",
    AlertName has "remcos" or Description has "remcos", "Remcos",
    AlertName has "lokibot" or Description has "lokibot", "LokiBot",
    AlertName has "formbook" or Description has "formbook", "FormBook",
    AlertName has "agent tesla" or Description has "agent tesla", "Agent Tesla",
    AlertName has "meterpreter" or Description has "meterpreter", "Meterpreter",
    "Unknown Commodity Malware"
)
| extend DetectionBranch = "SecurityAlert"
| project TimeGenerated, DeviceName=CompromisedEntity, DetectionBranch, MalwareFamily,
          AlertName, Severity=AlertSeverity, Details=Description, SystemAlertId;
// Branch 2: Process creation matching known commodity RAT binary name patterns
// Covers cases where adversaries use default or slightly modified binary names
let Branch2_ProcessPatterns = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("beacon.exe", "beacon32.exe", "beacon64.exe",
                       "stager.exe", "stager32.exe", "stager64.exe",
                       "injector.exe", "loader.exe", "dropper.exe",
                       "njrat.exe", "client.exe", "rat.exe")
    or (ProcessCommandLine has_any ("njrat", "quasar", "asyncrat", "nanocore", "remcos",
                                     "azorult", "meterpreter", "cobaltstr")
        and not (InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe",
                                                  "code.exe", "devenv.exe", "notepad.exe")))
| extend MalwareFamily = case(
    FileName has "beacon" or ProcessCommandLine has "cobalt", "Cobalt Strike",
    ProcessCommandLine has "njrat", "njRAT",
    ProcessCommandLine has "quasar", "QuasarRAT",
    ProcessCommandLine has "asyncrat", "AsyncRAT",
    ProcessCommandLine has "nanocore", "NanoCore",
    ProcessCommandLine has "remcos", "Remcos",
    ProcessCommandLine has "meterpreter", "Meterpreter",
    "Commodity Malware Binary"
)
| extend DetectionBranch = "ProcessExecution"
| project TimeGenerated=Timestamp, DeviceName, DetectionBranch, MalwareFamily,
          AlertName=strcat("Commodity malware binary: ", FileName),
          Severity="High",
          Details=ProcessCommandLine,
          SystemAlertId=tostring(ProcessId);
// Branch 3: LOLBin/unusual process initiating connections on known commodity C2 ports
// Cobalt Strike default listener port 50050, Metasploit 4444, common RAT ports
let Branch3_C2Ports = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (SuspiciousLOLBinC2Ports)
    and RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (
    "rundll32.exe", "regsvr32.exe", "mshta.exe",
    "wscript.exe", "cscript.exe", "msiexec.exe",
    "odbcconf.exe", "certutil.exe", "bitsadmin.exe",
    "explorer.exe", "svchost.exe"
)
| extend MalwareFamily = case(
    RemotePort == 50050, "Cobalt Strike (Teamserver default)",
    RemotePort == 4444, "Metasploit/Generic RAT",
    RemotePort == 31337, "Back Orifice/Elite Backdoor",
    "Unknown Commodity C2"
)
| extend DetectionBranch = "C2NetworkPattern"
| project TimeGenerated=Timestamp, DeviceName, DetectionBranch, MalwareFamily,
          AlertName="LOLBin C2 port connection — possible commodity malware beacon",
          Severity="High",
          Details=strcat(InitiatingProcessFileName, " -> ", RemoteIP, ":", tostring(RemotePort)),
          SystemAlertId=tostring(RemotePort);
// Branch 4: Malware-associated file extensions dropped in suspicious locations
let Branch4_FileArtifacts = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (@"\AppData\Roaming", @"\AppData\Local\Temp", @"\ProgramData",
                              @"\Windows\Temp", @"\Users\Public")
    and FileName has_any (".bin", ".dat", ".tmp")
    and FileSize > 102400  // >100KB — filter tiny files
| where InitiatingProcessFileName in~ (
    "powershell.exe", "pwsh.exe", "cmd.exe",
    "mshta.exe", "wscript.exe", "cscript.exe",
    "rundll32.exe", "regsvr32.exe"
)
| extend MalwareFamily = "Payload Drop — Commodity Malware Staging"
| extend DetectionBranch = "StagingFileArtifact"
| project TimeGenerated=Timestamp, DeviceName, DetectionBranch, MalwareFamily,
          AlertName="Suspicious binary dropped to staging location by script interpreter",
          Severity="Medium",
          Details=strcat(InitiatingProcessFileName, " created ", FolderPath, "\\", FileName, " (", tostring(FileSize), " bytes)"),
          SystemAlertId=SHA256;
// Union all detection branches
union Branch1_MalwareAlerts, Branch2_ProcessPatterns, Branch3_C2Ports, Branch4_FileArtifacts
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Alert: Security Alert Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Microsoft Defender for Endpoint Microsoft Sentinel

Required Tables

SecurityAlert DeviceProcessEvents DeviceNetworkEvents DeviceFileEvents

False Positives

Security researchers and red team operators running authorized commodity tooling (Cobalt Strike, Metasploit) on lab or pentest endpoints — these should have change tickets and known source IPs
Legitimate software using port 4444 or other common RAT ports for non-malicious purposes (some development tools, database management suites, IoT platforms)
Antivirus/EDR vendors whose product names or detection strings mention malware family names in alert titles, triggering Branch 1 on benign informational telemetry
Automated malware analysis sandbox submissions where known samples are run in controlled environments for detection engineering or threat intel purposes
Binary packing and protection tools (Themida, VMProtect) used legitimately by software vendors may produce behavioral similarities to commodity packer detections
Software deployment scripts (SCCM, Intune, Ansible) dropping .bin or .dat files to temp locations via cmd.exe or PowerShell may trigger Branch 4

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval detection_branch="ProcessExecution"
  | eval image_lower=lower(Image)
  | eval cmdline_lower=lower(CommandLine)
  | eval malware_family=case(
      match(image_lower, "(beacon|beacon32|beacon64)\.exe"), "Cobalt Strike Beacon",
      match(image_lower, "(stager|stager32|stager64|injector|dropper)\.exe"), "Generic Stager/Dropper",
      match(image_lower, "njrat\.exe") OR match(cmdline_lower, "njrat"), "njRAT",
      match(cmdline_lower, "(quasar|quasarrat)"), "QuasarRAT",
      match(cmdline_lower, "(asyncrat|async rat)"), "AsyncRAT",
      match(cmdline_lower, "(nanocore|nano core)"), "NanoCore",
      match(cmdline_lower, "remcos"), "Remcos",
      match(cmdline_lower, "(azorult|a-zorult)"), "Azorult",
      match(cmdline_lower, "meterpreter"), "Meterpreter",
      match(cmdline_lower, "(cobaltstr|cobalt strike)"), "Cobalt Strike",
      true(), null()
  )
  | where isnotnull(malware_family)
  | eval severity="high"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, malware_family, severity, detection_branch
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  | eval detection_branch="C2NetworkPattern"
  | eval image_lower=lower(Image)
  | where (DestinationPort IN ("4444","31337","50050","9999","8888","6666","5555","7777","1234"))
      AND NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
      AND (match(image_lower, "(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe"))
  | eval malware_family=case(
      DestinationPort="50050", "Cobalt Strike (Teamserver default port)",
      DestinationPort="4444", "Metasploit default listener",
      DestinationPort="31337", "Back Orifice/Elite Backdoor",
      true(), "Unknown Commodity C2"
  )
  | eval severity="high"
  | table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, malware_family, severity, detection_branch
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | eval detection_branch="StagingFileArtifact"
  | eval target_lower=lower(TargetFilename)
  | eval image_lower=lower(Image)
  | where match(image_lower, "(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\.exe")
      AND (match(target_lower, "\\appdata\\roaming\\") OR match(target_lower, "\\appdata\\local\\temp\\") OR
           match(target_lower, "\\programdata\\") OR match(target_lower, "\\windows\\temp\\") OR
           match(target_lower, "\\users\\public\\"))
      AND match(target_lower, "\.(bin|dat|tmp)$")
  | eval malware_family="Commodity Malware Staging — binary payload drop"
  | eval severity="medium"
  | table _time, host, User, Image, CommandLine, TargetFilename, malware_family, severity, detection_branch
]
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  | eval detection_branch="ProcessExecutionSecurity"
  | eval cmdline_lower=lower(New_Process_Name)
  | eval malware_family=case(
      match(cmdline_lower, "(beacon|beacon32|beacon64)\.exe"), "Cobalt Strike Beacon",
      match(cmdline_lower, "(stager|injector|dropper)\.exe"), "Generic Stager/Dropper",
      match(cmdline_lower, "njrat\.exe"), "njRAT",
      true(), null()
  )
  | where isnotnull(malware_family)
  | eval severity="high"
  | rename New_Process_Name AS Image, Process_Command_Line AS CommandLine, Creator_Process_Name AS ParentImage, Subject_Account_Name AS User
  | table _time, host, User, Image, CommandLine, ParentImage, malware_family, severity, detection_branch
]
| sort - _time
| rename host AS device, _time AS event_time
| table event_time, device, User, Image, CommandLine, DestinationIp, DestinationPort, TargetFilename, malware_family, severity, detection_branch

high severity medium confidence

Data Sources

Process: Process Creation Network Traffic: Network Connection Creation File: File Creation Sysmon Event ID 1 Sysmon Event ID 3 Sysmon Event ID 11 Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Security researchers and authorized red team operators running commodity offensive tooling (Cobalt Strike, Metasploit) in lab environments
Port 4444 used by legitimate development tools or database management interfaces that happen to listen on this port
Software deployment automation dropping compiled .bin or .dat configuration files to temp directories via PowerShell or cmd.exe
Threat hunting or incident response tools that include malware family strings in their binary names or command-line arguments for analysis purposes
Managed security service provider (MSSP) tooling that uses Cobalt Strike under license for authorized assessments — will generate noise if the MSSP endpoint is monitored by this detection

Elastic Security (EQL)

eql

any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.name like~ ("beacon.exe", "beacon32.exe", "beacon64.exe", "stager.exe", "stager32.exe", "stager64.exe", "injector.exe", "loader.exe", "dropper.exe", "njrat.exe", "rat.exe")
      or
      (
        process.command_line like~ ("*njrat*", "*quasar*", "*asyncrat*", "*nanocore*", "*remcos*", "*azorult*", "*meterpreter*", "*cobaltstr*", "*cobalt strike*", "*agent tesla*", "*agentTesla*", "*lokibot*", "*formbook*", "*redlinestealer*", "*red line*")
        and not process.parent.name like~ ("chrome.exe", "msedge.exe", "firefox.exe", "code.exe", "devenv.exe", "notepad.exe")
      )
    )
  )
  or
  (
    event.category == "network" and event.type in ("start", "connection") and
    destination.port in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777) and
    not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
    process.name like~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msiexec.exe", "odbcconf.exe", "certutil.exe", "bitsadmin.exe", "explorer.exe", "svchost.exe")
  )
  or
  (
    event.category == "file" and event.type == "creation" and
    file.path like~ ("*\\appdata\\roaming\\*", "*\\appdata\\local\\temp\\*", "*\\programdata\\*", "*\\windows\\temp\\*", "*\\users\\public\\*") and
    file.name like~ ("*.bin", "*.dat", "*.tmp") and
    process.name like~ ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")
  )

high severity medium confidence

Data Sources

Elastic Endpoint (logs-endpoint.events.process-*, logs-endpoint.events.network-*, logs-endpoint.events.file-*) Winlogbeat with Sysmon module (winlogbeat-*)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Authorised penetration testing or red team engagements using licensed Cobalt Strike, Metasploit Framework, or commodity RAT frameworks will match all three detection branches — maintain a suppression list of authorised red team host names and engagement time windows
Software development or CI/CD pipelines that invoke PowerShell or cmd.exe to compile or package binary artifacts with .bin or .dat extensions to AppData or ProgramData paths will match the staging file artifact branch
Legitimate network management software, VoIP clients, or game engines that operate on ports 8888, 9999, or 7777 and run hosted under svchost.exe or explorer.exe will match the C2 network port branch

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  destinationip,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  "EventID" AS windows_event_id,
  LOWER("Image") AS process_image,
  LOWER("CommandLine") AS command_line,
  "ParentImage" AS parent_image,
  "TargetFilename" AS target_file,
  CASE
    WHEN "EventID" IN ('1','4688') AND LOWER("Image") MATCHES '.*\b(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$' THEN 'Commodity Malware Binary Name'
    WHEN "EventID" IN ('1','4688') AND LOWER("CommandLine") MATCHES '.*(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer).*' THEN 'Commodity Malware Command Line'
    WHEN "EventID" = '3' AND destinationport IN (4444,31337,50050,9999,8888,6666,5555,7777,1234) THEN 'LOLBin C2 Port Connection'
    WHEN "EventID" = '11' THEN 'Staging File Artifact'
    ELSE 'Unknown'
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Microsoft Sysmon')
  AND (
    (
      "EventID" IN ('1', '4688')
      AND (
        LOWER("Image") MATCHES '.*\b(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$'
        OR (
          LOWER("CommandLine") MATCHES '.*(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer).*'
          AND NOT LOWER("ParentImage") MATCHES '.*(chrome|msedge|firefox|code|devenv|notepad)\.exe$'
        )
      )
    )
    OR (
      "EventID" = '3'
      AND destinationport IN (4444, 31337, 50050, 9999, 8888, 6666, 5555, 7777, 1234)
      AND NOT (
        destinationip LIKE '10.%' OR destinationip LIKE '172.16.%' OR destinationip LIKE '172.17.%'
        OR destinationip LIKE '172.18.%' OR destinationip LIKE '172.19.%' OR destinationip LIKE '172.20.%'
        OR destinationip LIKE '172.21.%' OR destinationip LIKE '172.22.%' OR destinationip LIKE '172.23.%'
        OR destinationip LIKE '172.24.%' OR destinationip LIKE '172.25.%' OR destinationip LIKE '172.26.%'
        OR destinationip LIKE '172.27.%' OR destinationip LIKE '172.28.%' OR destinationip LIKE '172.29.%'
        OR destinationip LIKE '172.30.%' OR destinationip LIKE '172.31.%'
        OR destinationip LIKE '192.168.%' OR destinationip = '127.0.0.1'
      )
      AND LOWER("Image") MATCHES '.*(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe$'
    )
    OR (
      "EventID" = '11'
      AND (
        LOWER("TargetFilename") LIKE '%\\appdata\\roaming\\%'
        OR LOWER("TargetFilename") LIKE '%\\appdata\\local\\temp\\%'
        OR LOWER("TargetFilename") LIKE '%\\programdata\\%'
        OR LOWER("TargetFilename") LIKE '%\\windows\\temp\\%'
        OR LOWER("TargetFilename") LIKE '%\\users\\public\\%'
      )
      AND (
        LOWER("TargetFilename") LIKE '%.bin'
        OR LOWER("TargetFilename") LIKE '%.dat'
        OR LOWER("TargetFilename") LIKE '%.tmp'
      )
      AND LOWER("Image") MATCHES '.*(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\.exe$'
    )
  )
  AND devicetime > NOW() - 86400000
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Sysmon via Windows Event Log log source Windows Security Event Log (4688 with process command-line audit policy enabled)

Required Tables

events

False Positives

Authorised red team or internal penetration testing activity using Cobalt Strike, Metasploit, or commodity RATs will trigger all three branches — create building blocks with a whitelist of authorised red team source IPs and schedule offsets
Build servers or CI agents (Jenkins, TeamCity, Azure DevOps agents) that run powershell.exe or cmd.exe to package binary artifacts into ProgramData or AppData directories during deployments will match the staging file artifact branch
Remote monitoring and management (RMM) agents such as ConnectWise Control or Datto RMM that operate on non-standard ports and communicate via svchost-hosted DLLs may match the C2 network port branch

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _index=sec_record*)
| where %"metadata.deviceEventId" in ("1", "3", "11", "4688")
| eval image_lower = toLowerCase(%"fields.Image")
| eval cmdline_lower = toLowerCase(%"fields.CommandLine")
| eval target_lower = toLowerCase(%"fields.TargetFilename")
| eval dst_port = toLong(%"fields.DestinationPort")
// Branch 1: Process execution — commodity malware binary names or command-line patterns
| eval proc_match = if(
    %"metadata.deviceEventId" in ("1", "4688") and (
      matches(image_lower, "(?i)(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\\.exe$")
      or (
        matches(cmdline_lower, "(?i)(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer)")
        and not matches(image_lower, "(?i)(chrome|msedge|firefox|code|devenv|notepad)\\.exe$")
      )
    ),
    "true", "false"
  )
// Branch 2: LOLBin C2 port connection
| eval net_match = if(
    %"metadata.deviceEventId" = "3"
    and dst_port in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777)
    and !isPrivateIP(%"fields.DestinationIp")
    and matches(image_lower, "(?i)(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\\.exe$"),
    "true", "false"
  )
// Branch 3: Script interpreter staging binary payload to writable path
| eval file_match = if(
    %"metadata.deviceEventId" = "11"
    and (
      contains(target_lower, "\\appdata\\roaming\\") or contains(target_lower, "\\appdata\\local\\temp\\")
      or contains(target_lower, "\\programdata\\") or contains(target_lower, "\\windows\\temp\\")
      or contains(target_lower, "\\users\\public\\")
    )
    and (endsWith(target_lower, ".bin") or endsWith(target_lower, ".dat") or endsWith(target_lower, ".tmp"))
    and matches(image_lower, "(?i)(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\\.exe$"),
    "true", "false"
  )
| where proc_match = "true" or net_match = "true" or file_match = "true"
| eval detection_branch = if(proc_match = "true", "ProcessExecution",
    if(net_match = "true", "C2NetworkPattern", "StagingFileArtifact"))
| eval malware_family = if(matches(image_lower, "(?i)(beacon|beacon32|beacon64)\\.exe$"), "Cobalt Strike",
    if(matches(image_lower, "njrat\\.exe$") or matches(cmdline_lower, "njrat"), "njRAT",
    if(matches(cmdline_lower, "quasar"), "QuasarRAT",
    if(matches(cmdline_lower, "asyncrat"), "AsyncRAT",
    if(matches(cmdline_lower, "nanocore"), "NanoCore",
    if(matches(cmdline_lower, "remcos"), "Remcos",
    if(matches(cmdline_lower, "meterpreter"), "Meterpreter",
    if(matches(cmdline_lower, "cobalt"), "Cobalt Strike",
    if(net_match = "true" and dst_port = 50050, "Cobalt Strike (Teamserver default)",
    if(net_match = "true" and dst_port = 4444, "Metasploit default listener",
    if(net_match = "true" and dst_port = 31337, "Back Orifice/Elite",
    if(file_match = "true", "Commodity Malware Staging",
    "Unknown Commodity Malware"))))))))))))
| fields _time, %"metadata.deviceHostName", %"fields.User", %"fields.Image", %"fields.CommandLine", %"fields.DestinationIp", %"fields.DestinationPort", %"fields.TargetFilename", malware_family, detection_branch
| sort by _time desc

high severity medium confidence

Data Sources

Sysmon logs forwarded to Sumo Logic via Installed Collector or Cloud-to-Cloud Sumo Logic Cloud SIEM Enterprise (CSE) normalized Windows endpoint records

Required Tables

Raw Sysmon/Windows Event Log source data sec_record index (CSE normalized records)

False Positives

Authorised offensive security tooling (licensed Cobalt Strike, Metasploit, Sliver C2) used in red team engagements — coordinate with security operations to create scheduled suppression rules for known red team host names and engagement time windows
Software packaging or installer frameworks (NSIS, WiX, InstallShield) that invoke cmd.exe or PowerShell as part of the install process and write binary payload files to ProgramData or AppData paths
Remote admin and RMM tools (ConnectWise, TeamViewer, Datto, Kaseya) running via svchost-hosted service DLLs that communicate on non-standard high ports — build a lookup table of authorised RMM destination IPs for suppression

Google Chronicle / SecOps

yaral

rule t1588_001_acquired_malware_detection {
  meta:
    author = "Detection Engineering"
    description = "Detects indicators of acquired and commodity malware use across process launch, network connection, and file creation event types. Covers known RAT binary names, commodity malware framework command-line strings (Cobalt Strike, Meterpreter, njRAT, QuasarRAT, AsyncRAT, NanoCore, Remcos, Azorult, Agent Tesla, LokiBot, FormBook, RedLine Stealer), LOLBin C2 port connections, and script-interpreter-staged binary payloads."
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.001"
    mitre_attack_technique_name = "Obtain Capabilities: Malware"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.1"
    created = "2026-04-13"

  events:
    (
      // Branch 1a: Process launch — known commodity RAT or C2 framework binary file names
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex(
        $e.target.process.file.full_path,
        `(?i)(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$`
      )
    )
    or
    (
      // Branch 1b: Process launch — commodity malware strings in command line, excluding browser/IDE parents
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex(
        $e.target.process.command_line,
        `(?i)(njrat|quasar(rat)?|asyncrat|async[ _]rat|nanocore|nano[ _]core|remcos(rat)?|azorult|a[-_]zorult|meterpreter|cobaltstr|cobalt[ _]strike|agent[ _]?tesla|agentTesla|lokibot|loki[ _]bot|formbook|form[ _]book|redlinestealer|red[ _]line)`
      )
      and not re.regex(
        $e.principal.process.file.full_path,
        `(?i)(chrome|msedge|firefox|code|devenv|notepad|explorer)\.exe$`
      )
    )
    or
    (
      // Branch 2: LOLBin initiates outbound connection to known commodity C2 or RAT listener port
      $e.metadata.event_type = "NETWORK_CONNECTION"
      and $e.network.direction = "OUTBOUND"
      and $e.target.port in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777)
      and not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
      and not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
      and re.regex(
        $e.principal.process.file.full_path,
        `(?i)(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe$`
      )
    )
    or
    (
      // Branch 3: Script interpreter drops binary staging payload to user-writable path
      $e.metadata.event_type = "FILE_CREATION"
      and re.regex(
        $e.target.file.full_path,
        `(?i)(\\appdata\\roaming\\|\\appdata\\local\\temp\\|\\programdata\\|\\windows\\temp\\|\\users\\public\\)`
      )
      and re.regex($e.target.file.full_path, `(?i)\.(bin|dat|tmp)$`)
      and re.regex(
        $e.principal.process.file.full_path,
        `(?i)(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\.exe$`
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM event stream Google Chronicle Forwarder ingesting Windows endpoint telemetry Sysmon logs parsed and forwarded to Chronicle

Required Tables

UDM events (PROCESS_LAUNCH, NETWORK_CONNECTION, FILE_CREATION)

False Positives

Licensed Cobalt Strike or authorised Metasploit Framework use during penetration testing engagements — add principal.hostname entity exceptions or a reference list of authorised red team asset hostnames
Build and packaging pipelines using PowerShell or cmd.exe that write .bin or .dat binary artifacts to AppData or ProgramData directories as part of legitimate software deployment workflows
Security analysis sandboxes or dynamic malware analysis environments that launch known malware samples for analysis — scope detection to production endpoints only by excluding sandbox hostname patterns

CrowdStrike LogScale (CQL)

cql

// T1588.001 — Acquired Malware Detection (CrowdStrike Falcon LogScale)
// Branch 1: Process creation — commodity malware binary names or framework command-line strings
#event_simpleName in (ProcessRollup2, SyntheticProcessRollupV2)
| ImageFileName_lower := lower(ImageFileName)
| CommandLine_lower := lower(CommandLine)
| ParentImageFileName_lower := lower(ParentBaseFileName)
| case {
    // Commodity RAT binary name match
    ImageFileName_lower = /(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$/i
    | detection_branch := "ProcessExecution"
    | malware_family := case(
        ImageFileName_lower = /(beacon|beacon32|beacon64)\.exe$/i, "Cobalt Strike Beacon",
        ImageFileName_lower = /njrat\.exe$/i, "njRAT",
        ImageFileName_lower = /(stager|stager32|stager64)\.exe$/i, "Generic Stager",
        ImageFileName_lower = /(injector|dropper)\.exe$/i, "Generic Dropper",
        true(), "Commodity Malware Binary"
      )
    ;
    // Commodity malware command-line string match, excluding browser/IDE parents
    CommandLine_lower = /(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer)/i
    AND NOT ParentImageFileName_lower = /(chrome|msedge|firefox|code|devenv|notepad)\.exe$/i
    | detection_branch := "ProcessExecution"
    | malware_family := case(
        CommandLine_lower = /njrat/i, "njRAT",
        CommandLine_lower = /quasar/i, "QuasarRAT",
        CommandLine_lower = /asyncrat/i, "AsyncRAT",
        CommandLine_lower = /nanocore/i, "NanoCore",
        CommandLine_lower = /remcos/i, "Remcos",
        CommandLine_lower = /azorult/i, "Azorult",
        CommandLine_lower = /meterpreter/i, "Meterpreter",
        CommandLine_lower = /cobalt/i, "Cobalt Strike",
        CommandLine_lower = /agent.?tesla/i, "Agent Tesla",
        CommandLine_lower = /lokibot/i, "LokiBot",
        CommandLine_lower = /formbook/i, "FormBook",
        CommandLine_lower = /redlinestealer/i, "RedLine Stealer",
        true(), "Commodity Malware Command"
      )
    ;
    // No match — drop event from results
    true() | drop()
  }
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, malware_family, detection_branch])

union

// Branch 2: LOLBin initiating outbound connection to known commodity C2 or RAT listener port
{
  #event_simpleName = NetworkConnectIP4
  | ImageFileName_lower := lower(ImageFileName)
  | where RemotePort in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777)
  | where not cidr(RemoteIP, subnet="10.0.0.0/8")
  | where not cidr(RemoteIP, subnet="172.16.0.0/12")
  | where not cidr(RemoteIP, subnet="192.168.0.0/16")
  | where not cidr(RemoteIP, subnet="127.0.0.0/8")
  | where ImageFileName_lower = /(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe$/i
  | detection_branch := "C2NetworkPattern"
  | malware_family := case(
      RemotePort = 50050, "Cobalt Strike (Teamserver default port)",
      RemotePort = 4444, "Metasploit default listener",
      RemotePort = 31337, "Back Orifice / Elite Backdoor",
      true(), "Unknown Commodity C2"
    )
  | select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RemoteIP, RemotePort, malware_family, detection_branch])
}
| sort(@timestamp, order=desc, limit=500)

high severity medium confidence

Data Sources

CrowdStrike Falcon sensor telemetry (ProcessRollup2, SyntheticProcessRollupV2, NetworkConnectIP4) Falcon Event Stream

Required Tables

ProcessRollup2 SyntheticProcessRollupV2 NetworkConnectIP4

False Positives

Authorised red team use of licensed Cobalt Strike, Metasploit, or Sliver C2 will generate ProcessRollup2 matches for payload binary names and NetworkConnectIP4 matches on default listener ports — maintain an exclusion reference list of authorised red team ComputerName values
Falcon's own prevention engine or third-party EDR/AV tools may generate synthetic ProcessRollup2 events for quarantined or analysed malware samples, potentially matching binary name patterns — verify against Falcon Prevention Policy exclusion logs
Industrial control system (ICS) or network management tools that communicate on ports such as 4444, 8888, or 9999 and run as svchost-hosted services may match the C2 network port branch — build a Falcon custom IOA exclusion for known management server destination IPs

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.002Tool T1588.003Code Signing Certificates T1588.004Digital Certificates T1588.005Exploits T1588.006Vulnerabilities T1588.007Artificial Intelligence

Malware

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections