Detect Malware in Microsoft Sentinel
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.001 Malware
- Canonical reference
- https://attack.mitre.org/techniques/T1588/001/
KQL Detection Query
// T1588.001 — Acquired Malware Detection
// Detection pivots to observable indicators of commodity/acquired malware in use within the environment,
// since the acquisition itself occurs externally. Covers security alerts, behavioral process patterns,
// C2 network signatures, and file artifacts consistent with known commodity malware families.
let KnownMalwareFamilies = dynamic([
"cobalt strike", "cobaltstrike", "cobalt_strike",
"njrat", "nj rat", "njw0rm",
"azorult", "a-zorult", "azor",
"redline", "redlinestealer", "red line",
"quasar", "quasarrat",
"asyncrat", "async rat",
"nanocore", "nano core",
"remcos", "remcosrat",
"darkcomet", "dark comet",
"lokibot", "loki bot",
"formbook", "form book",
"agent tesla", "agentTesla",
"meterpreter", "metasploit",
"emotet", "trickbot", "icedid",
"blackcat", "alphv", "lockbit"
]);
let SuspiciousLOLBinC2Ports = dynamic([4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777]);
// Branch 1: Microsoft Defender / Sentinel security alerts matching known commodity malware families
let Branch1_MalwareAlerts = SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertSeverity in ("High", "Medium")
| where AlertName has_any (KnownMalwareFamilies)
or Description has_any (KnownMalwareFamilies)
or Entities has_any (KnownMalwareFamilies)
| extend MalwareFamily = case(
AlertName has "cobalt" or Description has "cobalt", "Cobalt Strike",
AlertName has "njrat" or Description has "njrat", "njRAT",
AlertName has "azorult" or Description has "azorult", "Azorult",
AlertName has "redline" or Description has "redline", "RedLine Stealer",
AlertName has "quasar" or Description has "quasar", "QuasarRAT",
AlertName has "asyncrat" or Description has "asyncrat", "AsyncRAT",
AlertName has "nanocore" or Description has "nanocore", "NanoCore",
AlertName has "remcos" or Description has "remcos", "Remcos",
AlertName has "lokibot" or Description has "lokibot", "LokiBot",
AlertName has "formbook" or Description has "formbook", "FormBook",
AlertName has "agent tesla" or Description has "agent tesla", "Agent Tesla",
AlertName has "meterpreter" or Description has "meterpreter", "Meterpreter",
"Unknown Commodity Malware"
)
| extend DetectionBranch = "SecurityAlert"
| project TimeGenerated, DeviceName=CompromisedEntity, DetectionBranch, MalwareFamily,
AlertName, Severity=AlertSeverity, Details=Description, SystemAlertId;
// Branch 2: Process creation matching known commodity RAT binary name patterns
// Covers cases where adversaries use default or slightly modified binary names
let Branch2_ProcessPatterns = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("beacon.exe", "beacon32.exe", "beacon64.exe",
"stager.exe", "stager32.exe", "stager64.exe",
"injector.exe", "loader.exe", "dropper.exe",
"njrat.exe", "client.exe", "rat.exe")
or (ProcessCommandLine has_any ("njrat", "quasar", "asyncrat", "nanocore", "remcos",
"azorult", "meterpreter", "cobaltstr")
and not (InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe",
"code.exe", "devenv.exe", "notepad.exe")))
| extend MalwareFamily = case(
FileName has "beacon" or ProcessCommandLine has "cobalt", "Cobalt Strike",
ProcessCommandLine has "njrat", "njRAT",
ProcessCommandLine has "quasar", "QuasarRAT",
ProcessCommandLine has "asyncrat", "AsyncRAT",
ProcessCommandLine has "nanocore", "NanoCore",
ProcessCommandLine has "remcos", "Remcos",
ProcessCommandLine has "meterpreter", "Meterpreter",
"Commodity Malware Binary"
)
| extend DetectionBranch = "ProcessExecution"
| project TimeGenerated=Timestamp, DeviceName, DetectionBranch, MalwareFamily,
AlertName=strcat("Commodity malware binary: ", FileName),
Severity="High",
Details=ProcessCommandLine,
SystemAlertId=tostring(ProcessId);
// Branch 3: LOLBin/unusual process initiating connections on known commodity C2 ports
// Cobalt Strike default listener port 50050, Metasploit 4444, common RAT ports
let Branch3_C2Ports = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemotePort in (SuspiciousLOLBinC2Ports)
and RemoteIPType == "Public"
| where InitiatingProcessFileName in~ (
"rundll32.exe", "regsvr32.exe", "mshta.exe",
"wscript.exe", "cscript.exe", "msiexec.exe",
"odbcconf.exe", "certutil.exe", "bitsadmin.exe",
"explorer.exe", "svchost.exe"
)
| extend MalwareFamily = case(
RemotePort == 50050, "Cobalt Strike (Teamserver default)",
RemotePort == 4444, "Metasploit/Generic RAT",
RemotePort == 31337, "Back Orifice/Elite Backdoor",
"Unknown Commodity C2"
)
| extend DetectionBranch = "C2NetworkPattern"
| project TimeGenerated=Timestamp, DeviceName, DetectionBranch, MalwareFamily,
AlertName="LOLBin C2 port connection — possible commodity malware beacon",
Severity="High",
Details=strcat(InitiatingProcessFileName, " -> ", RemoteIP, ":", tostring(RemotePort)),
SystemAlertId=tostring(RemotePort);
// Branch 4: Malware-associated file extensions dropped in suspicious locations
let Branch4_FileArtifacts = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FolderPath has_any (@"\AppData\Roaming", @"\AppData\Local\Temp", @"\ProgramData",
@"\Windows\Temp", @"\Users\Public")
and FileName has_any (".bin", ".dat", ".tmp")
and FileSize > 102400 // >100KB — filter tiny files
| where InitiatingProcessFileName in~ (
"powershell.exe", "pwsh.exe", "cmd.exe",
"mshta.exe", "wscript.exe", "cscript.exe",
"rundll32.exe", "regsvr32.exe"
)
| extend MalwareFamily = "Payload Drop — Commodity Malware Staging"
| extend DetectionBranch = "StagingFileArtifact"
| project TimeGenerated=Timestamp, DeviceName, DetectionBranch, MalwareFamily,
AlertName="Suspicious binary dropped to staging location by script interpreter",
Severity="Medium",
Details=strcat(InitiatingProcessFileName, " created ", FolderPath, "\\", FileName, " (", tostring(FileSize), " bytes)"),
SystemAlertId=SHA256;
// Union all detection branches
union Branch1_MalwareAlerts, Branch2_ProcessPatterns, Branch3_C2Ports, Branch4_FileArtifacts
| sort by TimeGenerated descMulti-branch detection for MITRE ATT&CK T1588.001 (Acquired Malware). Since malware acquisition occurs outside the victim environment, detection pivots to four observable indicators of acquired malware in use: (1) Microsoft Defender/Sentinel security alerts matching known commodity malware family names including Cobalt Strike, njRAT, Azorult, RedLine, QuasarRAT, and AsyncRAT; (2) process creation events matching known commodity RAT binary names or command-line strings; (3) LOLBin processes making outbound connections to known commodity C2 ports (Cobalt Strike 50050, Metasploit 4444, Back Orifice 31337); (4) script interpreters dropping binary files to staging locations. Covers threat actor groups including LuminousMoth, TA2541, LAPSUS$, Aquatic Panda, and Scattered Spider who are known to acquire and deploy commodity malware.
Data Sources
Required Tables
False Positives & Tuning
- Security researchers and red team operators running authorized commodity tooling (Cobalt Strike, Metasploit) on lab or pentest endpoints — these should have change tickets and known source IPs
- Legitimate software using port 4444 or other common RAT ports for non-malicious purposes (some development tools, database management suites, IoT platforms)
- Antivirus/EDR vendors whose product names or detection strings mention malware family names in alert titles, triggering Branch 1 on benign informational telemetry
- Automated malware analysis sandbox submissions where known samples are run in controlled environments for detection engineering or threat intel purposes
- Binary packing and protection tools (Themida, VMProtect) used legitimately by software vendors may produce behavioral similarities to commodity packer detections
- Software deployment scripts (SCCM, Intune, Ansible) dropping .bin or .dat files to temp locations via cmd.exe or PowerShell may trigger Branch 4
Other platforms for T1588.001
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate njRAT/QuasarRAT Binary Name Pattern
Expected signal: Sysmon Event ID 1: Process Create with Image ending in 'njrat.exe', CommandLine 'njrat.exe /all'. Security Event ID 4688 (if command line auditing enabled). Prefetch entry NJRAT.EXE-*.pf created in C:\Windows\Prefetch\.
- Test 2Beacon-Pattern Network Connection to Non-Standard Port
Expected signal: Sysmon Event ID 3: Multiple Network Connection events from powershell.exe to 192.0.2.1:4444 with ~10 second intervals. Security Event ID 4688 for the PowerShell process creation. Connection attempts will fail (192.0.2.1 is RFC 5737 documentation range) but process and network events fire regardless.
- Test 3Infostealer Credential Target Access Simulation
Expected signal: Sysmon Event ID 10 (Process Access) if Chrome is running and the Login Data file is locked. Sysmon Event ID 11 or Windows file access auditing events for the Login Data file access by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the script content referencing the credential database path.
- Test 4Cobalt Strike Default C2 Port Connection Attempt
Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to 198.51.100.1:50050. The connection attempt will fail (RFC 5737 test range) but the connection attempt event fires. Security Event ID 4688 for the PowerShell process. DNS query may be logged if name resolution was attempted.
- Test 5Commodity Malware Dynamic DNS Resolution
Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='test.no-ip.org', Image ends in 'powershell.exe'. Network connection log may show the DNS resolver query. PowerShell ScriptBlock Log Event ID 4104 with the DNS resolution command.
References (12)
- https://attack.mitre.org/techniques/T1588/001/
- https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
- https://www.proofpoint.com/us/blog/threat-insight/ta2541-flying-under-radar
- https://www.crowdstrike.com/blog/aquatic-panda-targets-higher-education-with-novel-tools-ttps/
- https://www.kaspersky.com/blog/luminousmoth-apt/
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/
- https://abuse.ch/blog/threatfox/
- https://bazaar.abuse.ch/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.001/T1588.001.md
- https://blog.talosintelligence.com/2022/09/from-the-labs-cobalt-strike-detection.html
- https://thedfirreport.com/
- https://www.sentinelone.com/labs/metador-le-meteore-des-apt/
Unlock Pro Content
Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.