T1588.001 Splunk · SPL

Detect Malware in Splunk

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.001 Malware
Canonical reference
https://attack.mitre.org/techniques/T1588/001/

SPL Detection Query

Splunk (SPL)
spl 
| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  | eval detection_branch="ProcessExecution"
  | eval image_lower=lower(Image)
  | eval cmdline_lower=lower(CommandLine)
  | eval malware_family=case(
      match(image_lower, "(beacon|beacon32|beacon64)\.exe"), "Cobalt Strike Beacon",
      match(image_lower, "(stager|stager32|stager64|injector|dropper)\.exe"), "Generic Stager/Dropper",
      match(image_lower, "njrat\.exe") OR match(cmdline_lower, "njrat"), "njRAT",
      match(cmdline_lower, "(quasar|quasarrat)"), "QuasarRAT",
      match(cmdline_lower, "(asyncrat|async rat)"), "AsyncRAT",
      match(cmdline_lower, "(nanocore|nano core)"), "NanoCore",
      match(cmdline_lower, "remcos"), "Remcos",
      match(cmdline_lower, "(azorult|a-zorult)"), "Azorult",
      match(cmdline_lower, "meterpreter"), "Meterpreter",
      match(cmdline_lower, "(cobaltstr|cobalt strike)"), "Cobalt Strike",
      true(), null()
  )
  | where isnotnull(malware_family)
  | eval severity="high"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, malware_family, severity, detection_branch
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  | eval detection_branch="C2NetworkPattern"
  | eval image_lower=lower(Image)
  | where (DestinationPort IN ("4444","31337","50050","9999","8888","6666","5555","7777","1234"))
      AND NOT (DestinationIp="10.*" OR DestinationIp="172.16.*" OR DestinationIp="192.168.*" OR DestinationIp="127.*")
      AND (match(image_lower, "(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\.exe"))
  | eval malware_family=case(
      DestinationPort="50050", "Cobalt Strike (Teamserver default port)",
      DestinationPort="4444", "Metasploit default listener",
      DestinationPort="31337", "Back Orifice/Elite Backdoor",
      true(), "Unknown Commodity C2"
  )
  | eval severity="high"
  | table _time, host, User, Image, CommandLine, DestinationIp, DestinationPort, malware_family, severity, detection_branch
]
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  | eval detection_branch="StagingFileArtifact"
  | eval target_lower=lower(TargetFilename)
  | eval image_lower=lower(Image)
  | where match(image_lower, "(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\.exe")
      AND (match(target_lower, "\\appdata\\roaming\\") OR match(target_lower, "\\appdata\\local\\temp\\") OR
           match(target_lower, "\\programdata\\") OR match(target_lower, "\\windows\\temp\\") OR
           match(target_lower, "\\users\\public\\"))
      AND match(target_lower, "\.(bin|dat|tmp)$")
  | eval malware_family="Commodity Malware Staging — binary payload drop"
  | eval severity="medium"
  | table _time, host, User, Image, CommandLine, TargetFilename, malware_family, severity, detection_branch
]
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4688
  | eval detection_branch="ProcessExecutionSecurity"
  | eval cmdline_lower=lower(New_Process_Name)
  | eval malware_family=case(
      match(cmdline_lower, "(beacon|beacon32|beacon64)\.exe"), "Cobalt Strike Beacon",
      match(cmdline_lower, "(stager|injector|dropper)\.exe"), "Generic Stager/Dropper",
      match(cmdline_lower, "njrat\.exe"), "njRAT",
      true(), null()
  )
  | where isnotnull(malware_family)
  | eval severity="high"
  | rename New_Process_Name AS Image, Process_Command_Line AS CommandLine, Creator_Process_Name AS ParentImage, Subject_Account_Name AS User
  | table _time, host, User, Image, CommandLine, ParentImage, malware_family, severity, detection_branch
]
| sort - _time
| rename host AS device, _time AS event_time
| table event_time, device, User, Image, CommandLine, DestinationIp, DestinationPort, TargetFilename, malware_family, severity, detection_branch
high severity medium confidence

Multi-branch SPL detection for T1588.001 (Acquired Malware) across Sysmon and Windows Security event logs. Branch 1 (Sysmon EventCode=1): Process creation events where the image name or command line matches known commodity malware families including Cobalt Strike beacon binaries, njRAT, QuasarRAT, AsyncRAT, NanoCore, Remcos, Azorult, and Meterpreter. Branch 2 (Sysmon EventCode=3): Network connection events where LOLBin/interpreter processes connect to external IPs on known commodity C2 ports (50050 Cobalt Strike, 4444 Metasploit, 31337 Back Orifice). Branch 3 (Sysmon EventCode=11): File creation events where script interpreters drop binary payload files to common staging directories. Branch 4 (Security EventCode=4688): Fallback process creation detection using Windows Security logs for environments without Sysmon.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationFile: File CreationSysmon Event ID 1Sysmon Event ID 3Sysmon Event ID 11Windows Security Event ID 4688

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Security researchers and authorized red team operators running commodity offensive tooling (Cobalt Strike, Metasploit) in lab environments
  • Port 4444 used by legitimate development tools or database management interfaces that happen to listen on this port
  • Software deployment automation dropping compiled .bin or .dat configuration files to temp directories via PowerShell or cmd.exe
  • Threat hunting or incident response tools that include malware family strings in their binary names or command-line arguments for analysis purposes
  • Managed security service provider (MSSP) tooling that uses Cobalt Strike under license for authorized assessments — will generate noise if the MSSP endpoint is monitored by this detection
Download portable Sigma rule (.yml)

Other platforms for T1588.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate njRAT/QuasarRAT Binary Name Pattern

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in 'njrat.exe', CommandLine 'njrat.exe /all'. Security Event ID 4688 (if command line auditing enabled). Prefetch entry NJRAT.EXE-*.pf created in C:\Windows\Prefetch\.

  2. Test 2Beacon-Pattern Network Connection to Non-Standard Port

    Expected signal: Sysmon Event ID 3: Multiple Network Connection events from powershell.exe to 192.0.2.1:4444 with ~10 second intervals. Security Event ID 4688 for the PowerShell process creation. Connection attempts will fail (192.0.2.1 is RFC 5737 documentation range) but process and network events fire regardless.

  3. Test 3Infostealer Credential Target Access Simulation

    Expected signal: Sysmon Event ID 10 (Process Access) if Chrome is running and the Login Data file is locked. Sysmon Event ID 11 or Windows file access auditing events for the Login Data file access by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the script content referencing the credential database path.

  4. Test 4Cobalt Strike Default C2 Port Connection Attempt

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to 198.51.100.1:50050. The connection attempt will fail (RFC 5737 test range) but the connection attempt event fires. Security Event ID 4688 for the PowerShell process. DNS query may be logged if name resolution was attempted.

  5. Test 5Commodity Malware Dynamic DNS Resolution

    Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='test.no-ip.org', Image ends in 'powershell.exe'. Network connection log may show the DNS resolver query. PowerShell ScriptBlock Log Event ID 4104 with the DNS resolution command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1587.001MalwareT1566PhishingT1566.001Spearphishing AttachmentT1105Ingress Tool TransferT1055Process InjectionT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1539Steal Web Session CookieT1555Credentials from Password StoresT1543.003Windows ServiceT1547.001Registry Run Keys / Startup Folder

Same Tactic: Resource Development

Popular Detections