T1588.001 Elastic Security · Elastic

Detect Malware in Elastic Security

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.001 Malware
Canonical reference
https://attack.mitre.org/techniques/T1588/001/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.category == "process" and event.type == "start" and
    (
      process.name like~ ("beacon.exe", "beacon32.exe", "beacon64.exe", "stager.exe", "stager32.exe", "stager64.exe", "injector.exe", "loader.exe", "dropper.exe", "njrat.exe", "rat.exe")
      or
      (
        process.command_line like~ ("*njrat*", "*quasar*", "*asyncrat*", "*nanocore*", "*remcos*", "*azorult*", "*meterpreter*", "*cobaltstr*", "*cobalt strike*", "*agent tesla*", "*agentTesla*", "*lokibot*", "*formbook*", "*redlinestealer*", "*red line*")
        and not process.parent.name like~ ("chrome.exe", "msedge.exe", "firefox.exe", "code.exe", "devenv.exe", "notepad.exe")
      )
    )
  )
  or
  (
    event.category == "network" and event.type in ("start", "connection") and
    destination.port in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777) and
    not cidrmatch(destination.ip, "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8") and
    process.name like~ ("rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe", "cscript.exe", "msiexec.exe", "odbcconf.exe", "certutil.exe", "bitsadmin.exe", "explorer.exe", "svchost.exe")
  )
  or
  (
    event.category == "file" and event.type == "creation" and
    file.path like~ ("*\\appdata\\roaming\\*", "*\\appdata\\local\\temp\\*", "*\\programdata\\*", "*\\windows\\temp\\*", "*\\users\\public\\*") and
    file.name like~ ("*.bin", "*.dat", "*.tmp") and
    process.name like~ ("powershell.exe", "pwsh.exe", "cmd.exe", "mshta.exe", "wscript.exe", "cscript.exe", "rundll32.exe", "regsvr32.exe")
  )
high severity medium confidence

Detects use of acquired commodity malware via three behavioral branches using Elastic Common Schema fields: (1) process creation matching known RAT/C2 binary names or commodity malware framework strings in command lines, excluding browser and IDE parent processes; (2) LOLBin processes initiating outbound connections to known commodity C2 and RAT listener ports on public IPs; (3) script interpreters dropping binary staging payloads with .bin/.dat/.tmp extensions to user-writable Windows paths.

Data Sources

Elastic Endpoint (logs-endpoint.events.process-*, logs-endpoint.events.network-*, logs-endpoint.events.file-*)Winlogbeat with Sysmon module (winlogbeat-*)

Required Tables

logs-endpoint.events.process-*logs-endpoint.events.network-*logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Authorised penetration testing or red team engagements using licensed Cobalt Strike, Metasploit Framework, or commodity RAT frameworks will match all three detection branches — maintain a suppression list of authorised red team host names and engagement time windows
  • Software development or CI/CD pipelines that invoke PowerShell or cmd.exe to compile or package binary artifacts with .bin or .dat extensions to AppData or ProgramData paths will match the staging file artifact branch
  • Legitimate network management software, VoIP clients, or game engines that operate on ports 8888, 9999, or 7777 and run hosted under svchost.exe or explorer.exe will match the C2 network port branch
Download portable Sigma rule (.yml)

Other platforms for T1588.001

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate njRAT/QuasarRAT Binary Name Pattern

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in 'njrat.exe', CommandLine 'njrat.exe /all'. Security Event ID 4688 (if command line auditing enabled). Prefetch entry NJRAT.EXE-*.pf created in C:\Windows\Prefetch\.

  2. Test 2Beacon-Pattern Network Connection to Non-Standard Port

    Expected signal: Sysmon Event ID 3: Multiple Network Connection events from powershell.exe to 192.0.2.1:4444 with ~10 second intervals. Security Event ID 4688 for the PowerShell process creation. Connection attempts will fail (192.0.2.1 is RFC 5737 documentation range) but process and network events fire regardless.

  3. Test 3Infostealer Credential Target Access Simulation

    Expected signal: Sysmon Event ID 10 (Process Access) if Chrome is running and the Login Data file is locked. Sysmon Event ID 11 or Windows file access auditing events for the Login Data file access by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the script content referencing the credential database path.

  4. Test 4Cobalt Strike Default C2 Port Connection Attempt

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to 198.51.100.1:50050. The connection attempt will fail (RFC 5737 test range) but the connection attempt event fires. Security Event ID 4688 for the PowerShell process. DNS query may be logged if name resolution was attempted.

  5. Test 5Commodity Malware Dynamic DNS Resolution

    Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='test.no-ip.org', Image ends in 'powershell.exe'. Network connection log may show the DNS resolver query. PowerShell ScriptBlock Log Event ID 4104 with the DNS resolution command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1587.001MalwareT1566PhishingT1566.001Spearphishing AttachmentT1105Ingress Tool TransferT1055Process InjectionT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1539Steal Web Session CookieT1555Credentials from Password StoresT1543.003Windows ServiceT1547.001Registry Run Keys / Startup Folder

Same Tactic: Resource Development

Popular Detections