T1588.001 CrowdStrike LogScale · LogScale

Detect Malware in CrowdStrike LogScale

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.001 Malware
Canonical reference
https://attack.mitre.org/techniques/T1588/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
// T1588.001 — Acquired Malware Detection (CrowdStrike Falcon LogScale)
// Branch 1: Process creation — commodity malware binary names or framework command-line strings
#event_simpleName in (ProcessRollup2, SyntheticProcessRollupV2)
| ImageFileName_lower := lower(ImageFileName)
| CommandLine_lower := lower(CommandLine)
| ParentImageFileName_lower := lower(ParentBaseFileName)
| case {
    // Commodity RAT binary name match
    ImageFileName_lower = /(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\.exe$/i
    | detection_branch := "ProcessExecution"
    | malware_family := case(
        ImageFileName_lower = /(beacon|beacon32|beacon64)\.exe$/i, "Cobalt Strike Beacon",
        ImageFileName_lower = /njrat\.exe$/i, "njRAT",
        ImageFileName_lower = /(stager|stager32|stager64)\.exe$/i, "Generic Stager",
        ImageFileName_lower = /(injector|dropper)\.exe$/i, "Generic Dropper",
        true(), "Commodity Malware Binary"
      )
    ;
    // Commodity malware command-line string match, excluding browser/IDE parents
    CommandLine_lower = /(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer)/i
    AND NOT ParentImageFileName_lower = /(chrome|msedge|firefox|code|devenv|notepad)\.exe$/i
    | detection_branch := "ProcessExecution"
    | malware_family := case(
        CommandLine_lower = /njrat/i, "njRAT",
        CommandLine_lower = /quasar/i, "QuasarRAT",
        CommandLine_lower = /asyncrat/i, "AsyncRAT",
        CommandLine_lower = /nanocore/i, "NanoCore",
        CommandLine_lower = /remcos/i, "Remcos",
        CommandLine_lower = /azorult/i, "Azorult",
        CommandLine_lower = /meterpreter/i, "Meterpreter",
        CommandLine_lower = /cobalt/i, "Cobalt Strike",
        CommandLine_lower = /agent.?tesla/i, "Agent Tesla",
        CommandLine_lower = /lokibot/i, "LokiBot",
        CommandLine_lower = /formbook/i, "FormBook",
        CommandLine_lower = /redlinestealer/i, "RedLine Stealer",
        true(), "Commodity Malware Command"
      )
    ;
    // No match — drop event from results
    true() | drop()
  }
| select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, malware_family, detection_branch])

union

// Branch 2: LOLBin initiating outbound connection to known commodity C2 or RAT listener port
{
  #event_simpleName = NetworkConnectIP4
  | ImageFileName_lower := lower(ImageFileName)
  | where RemotePort in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777)
  | where not cidr(RemoteIP, subnet="10.0.0.0/8")
  | where not cidr(RemoteIP, subnet="172.16.0.0/12")
  | where not cidr(RemoteIP, subnet="192.168.0.0/16")
  | where not cidr(RemoteIP, subnet="127.0.0.0/8")
  | where ImageFileName_lower = /(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe$/i
  | detection_branch := "C2NetworkPattern"
  | malware_family := case(
      RemotePort = 50050, "Cobalt Strike (Teamserver default port)",
      RemotePort = 4444, "Metasploit default listener",
      RemotePort = 31337, "Back Orifice / Elite Backdoor",
      true(), "Unknown Commodity C2"
    )
  | select([@timestamp, ComputerName, UserName, ImageFileName, CommandLine, RemoteIP, RemotePort, malware_family, detection_branch])
}
| sort(@timestamp, order=desc, limit=500)
high severity medium confidence

CrowdStrike Falcon LogScale (CQL) detection unioning two query branches: (1) ProcessRollup2 and SyntheticProcessRollupV2 events matching known commodity RAT binary file names or malware framework strings in command lines, with case-based malware family attribution; (2) NetworkConnectIP4 events from LOLBin processes connecting to known commodity C2 and RAT listener ports on public IPs. Both branches output normalised fields including detection branch and attributed malware family.

Data Sources

CrowdStrike Falcon sensor telemetry (ProcessRollup2, SyntheticProcessRollupV2, NetworkConnectIP4)Falcon Event Stream

Required Tables

ProcessRollup2SyntheticProcessRollupV2NetworkConnectIP4

False Positives & Tuning

  • Authorised red team use of licensed Cobalt Strike, Metasploit, or Sliver C2 will generate ProcessRollup2 matches for payload binary names and NetworkConnectIP4 matches on default listener ports — maintain an exclusion reference list of authorised red team ComputerName values
  • Falcon's own prevention engine or third-party EDR/AV tools may generate synthetic ProcessRollup2 events for quarantined or analysed malware samples, potentially matching binary name patterns — verify against Falcon Prevention Policy exclusion logs
  • Industrial control system (ICS) or network management tools that communicate on ports such as 4444, 8888, or 9999 and run as svchost-hosted services may match the C2 network port branch — build a Falcon custom IOA exclusion for known management server destination IPs
Download portable Sigma rule (.yml)

Other platforms for T1588.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate njRAT/QuasarRAT Binary Name Pattern

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in 'njrat.exe', CommandLine 'njrat.exe /all'. Security Event ID 4688 (if command line auditing enabled). Prefetch entry NJRAT.EXE-*.pf created in C:\Windows\Prefetch\.

  2. Test 2Beacon-Pattern Network Connection to Non-Standard Port

    Expected signal: Sysmon Event ID 3: Multiple Network Connection events from powershell.exe to 192.0.2.1:4444 with ~10 second intervals. Security Event ID 4688 for the PowerShell process creation. Connection attempts will fail (192.0.2.1 is RFC 5737 documentation range) but process and network events fire regardless.

  3. Test 3Infostealer Credential Target Access Simulation

    Expected signal: Sysmon Event ID 10 (Process Access) if Chrome is running and the Login Data file is locked. Sysmon Event ID 11 or Windows file access auditing events for the Login Data file access by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the script content referencing the credential database path.

  4. Test 4Cobalt Strike Default C2 Port Connection Attempt

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to 198.51.100.1:50050. The connection attempt will fail (RFC 5737 test range) but the connection attempt event fires. Security Event ID 4688 for the PowerShell process. DNS query may be logged if name resolution was attempted.

  5. Test 5Commodity Malware Dynamic DNS Resolution

    Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='test.no-ip.org', Image ends in 'powershell.exe'. Network connection log may show the DNS resolver query. PowerShell ScriptBlock Log Event ID 4104 with the DNS resolution command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1587.001MalwareT1566PhishingT1566.001Spearphishing AttachmentT1105Ingress Tool TransferT1055Process InjectionT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1539Steal Web Session CookieT1555Credentials from Password StoresT1543.003Windows ServiceT1547.001Registry Run Keys / Startup Folder

Same Tactic: Resource Development

Popular Detections