Detect Malware in Google Chronicle
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.001 Malware
- Canonical reference
- https://attack.mitre.org/techniques/T1588/001/
YARA-L Detection Query
rule t1588_001_acquired_malware_detection {
meta:
author = "Detection Engineering"
description = "Detects indicators of acquired and commodity malware use across process launch, network connection, and file creation event types. Covers known RAT binary names, commodity malware framework command-line strings (Cobalt Strike, Meterpreter, njRAT, QuasarRAT, AsyncRAT, NanoCore, Remcos, Azorult, Agent Tesla, LokiBot, FormBook, RedLine Stealer), LOLBin C2 port connections, and script-interpreter-staged binary payloads."
mitre_attack_tactic = "Resource Development"
mitre_attack_technique = "T1588.001"
mitre_attack_technique_name = "Obtain Capabilities: Malware"
severity = "HIGH"
confidence = "MEDIUM"
version = "1.1"
created = "2026-04-13"
events:
(
// Branch 1a: Process launch — known commodity RAT or C2 framework binary file names
$e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex(
$e.target.process.file.full_path,
`(?i)(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$`
)
)
or
(
// Branch 1b: Process launch — commodity malware strings in command line, excluding browser/IDE parents
$e.metadata.event_type = "PROCESS_LAUNCH"
and re.regex(
$e.target.process.command_line,
`(?i)(njrat|quasar(rat)?|asyncrat|async[ _]rat|nanocore|nano[ _]core|remcos(rat)?|azorult|a[-_]zorult|meterpreter|cobaltstr|cobalt[ _]strike|agent[ _]?tesla|agentTesla|lokibot|loki[ _]bot|formbook|form[ _]book|redlinestealer|red[ _]line)`
)
and not re.regex(
$e.principal.process.file.full_path,
`(?i)(chrome|msedge|firefox|code|devenv|notepad|explorer)\.exe$`
)
)
or
(
// Branch 2: LOLBin initiates outbound connection to known commodity C2 or RAT listener port
$e.metadata.event_type = "NETWORK_CONNECTION"
and $e.network.direction = "OUTBOUND"
and $e.target.port in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777)
and not net.ip_in_range_cidr($e.target.ip, "10.0.0.0/8")
and not net.ip_in_range_cidr($e.target.ip, "172.16.0.0/12")
and not net.ip_in_range_cidr($e.target.ip, "192.168.0.0/16")
and not net.ip_in_range_cidr($e.target.ip, "127.0.0.0/8")
and re.regex(
$e.principal.process.file.full_path,
`(?i)(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe$`
)
)
or
(
// Branch 3: Script interpreter drops binary staging payload to user-writable path
$e.metadata.event_type = "FILE_CREATION"
and re.regex(
$e.target.file.full_path,
`(?i)(\\appdata\\roaming\\|\\appdata\\local\\temp\\|\\programdata\\|\\windows\\temp\\|\\users\\public\\)`
)
and re.regex($e.target.file.full_path, `(?i)\.(bin|dat|tmp)$`)
and re.regex(
$e.principal.process.file.full_path,
`(?i)(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\.exe$`
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting commodity/acquired malware use via four detection branches mapped to UDM event types: PROCESS_LAUNCH matching known RAT binary names; PROCESS_LAUNCH with commodity malware framework strings in command lines excluding browser/IDE parent processes; NETWORK_CONNECTION from LOLBin processes to known C2 listener ports on non-RFC1918 IPs; FILE_CREATION of .bin/.dat/.tmp payloads to user-writable Windows paths by script interpreters. Fires on any single event matching any branch.
Data Sources
Required Tables
False Positives & Tuning
- Licensed Cobalt Strike or authorised Metasploit Framework use during penetration testing engagements — add principal.hostname entity exceptions or a reference list of authorised red team asset hostnames
- Build and packaging pipelines using PowerShell or cmd.exe that write .bin or .dat binary artifacts to AppData or ProgramData directories as part of legitimate software deployment workflows
- Security analysis sandboxes or dynamic malware analysis environments that launch known malware samples for analysis — scope detection to production endpoints only by excluding sandbox hostname patterns
Other platforms for T1588.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate njRAT/QuasarRAT Binary Name Pattern
Expected signal: Sysmon Event ID 1: Process Create with Image ending in 'njrat.exe', CommandLine 'njrat.exe /all'. Security Event ID 4688 (if command line auditing enabled). Prefetch entry NJRAT.EXE-*.pf created in C:\Windows\Prefetch\.
- Test 2Beacon-Pattern Network Connection to Non-Standard Port
Expected signal: Sysmon Event ID 3: Multiple Network Connection events from powershell.exe to 192.0.2.1:4444 with ~10 second intervals. Security Event ID 4688 for the PowerShell process creation. Connection attempts will fail (192.0.2.1 is RFC 5737 documentation range) but process and network events fire regardless.
- Test 3Infostealer Credential Target Access Simulation
Expected signal: Sysmon Event ID 10 (Process Access) if Chrome is running and the Login Data file is locked. Sysmon Event ID 11 or Windows file access auditing events for the Login Data file access by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the script content referencing the credential database path.
- Test 4Cobalt Strike Default C2 Port Connection Attempt
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to 198.51.100.1:50050. The connection attempt will fail (RFC 5737 test range) but the connection attempt event fires. Security Event ID 4688 for the PowerShell process. DNS query may be logged if name resolution was attempted.
- Test 5Commodity Malware Dynamic DNS Resolution
Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='test.no-ip.org', Image ends in 'powershell.exe'. Network connection log may show the DNS resolver query. PowerShell ScriptBlock Log Event ID 4104 with the DNS resolution command.
References (12)
- https://attack.mitre.org/techniques/T1588/001/
- https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
- https://www.proofpoint.com/us/blog/threat-insight/ta2541-flying-under-radar
- https://www.crowdstrike.com/blog/aquatic-panda-targets-higher-education-with-novel-tools-ttps/
- https://www.kaspersky.com/blog/luminousmoth-apt/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://abuse.ch/blog/threatfox/
- https://bazaar.abuse.ch/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.001/T1588.001.md
- https://blog.talosintelligence.com/2022/09/from-the-labs-cobalt-strike-detection.html
- https://thedfirreport.com/
- https://www.sentinelone.com/labs/metador-le-meteore-des-apt/
Unlock Pro Content
Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.