T1588.001 Sumo Logic CSE · Sumo

Detect Malware in Sumo Logic CSE

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.001 Malware
Canonical reference
https://attack.mitre.org/techniques/T1588/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _index=sec_record*)
| where %"metadata.deviceEventId" in ("1", "3", "11", "4688")
| eval image_lower = toLowerCase(%"fields.Image")
| eval cmdline_lower = toLowerCase(%"fields.CommandLine")
| eval target_lower = toLowerCase(%"fields.TargetFilename")
| eval dst_port = toLong(%"fields.DestinationPort")
// Branch 1: Process execution — commodity malware binary names or command-line patterns
| eval proc_match = if(
    %"metadata.deviceEventId" in ("1", "4688") and (
      matches(image_lower, "(?i)(beacon|beacon32|beacon64|stager|stager32|stager64|injector|loader|dropper|njrat|rat)\\.exe$")
      or (
        matches(cmdline_lower, "(?i)(njrat|quasar(rat)?|asyncrat|nanocore|remcos(rat)?|azorult|meterpreter|cobaltstr|cobalt.?strike|agent.?tesla|lokibot|formbook|redlinestealer)")
        and not matches(image_lower, "(?i)(chrome|msedge|firefox|code|devenv|notepad)\\.exe$")
      )
    ),
    "true", "false"
  )
// Branch 2: LOLBin C2 port connection
| eval net_match = if(
    %"metadata.deviceEventId" = "3"
    and dst_port in (4444, 1234, 9999, 31337, 50050, 8888, 6666, 5555, 7777)
    and !isPrivateIP(%"fields.DestinationIp")
    and matches(image_lower, "(?i)(rundll32|regsvr32|mshta|wscript|cscript|msiexec|odbcconf|certutil|bitsadmin|explorer|svchost)\\.exe$"),
    "true", "false"
  )
// Branch 3: Script interpreter staging binary payload to writable path
| eval file_match = if(
    %"metadata.deviceEventId" = "11"
    and (
      contains(target_lower, "\\appdata\\roaming\\") or contains(target_lower, "\\appdata\\local\\temp\\")
      or contains(target_lower, "\\programdata\\") or contains(target_lower, "\\windows\\temp\\")
      or contains(target_lower, "\\users\\public\\")
    )
    and (endsWith(target_lower, ".bin") or endsWith(target_lower, ".dat") or endsWith(target_lower, ".tmp"))
    and matches(image_lower, "(?i)(powershell|pwsh|cmd|mshta|wscript|cscript|rundll32|regsvr32)\\.exe$"),
    "true", "false"
  )
| where proc_match = "true" or net_match = "true" or file_match = "true"
| eval detection_branch = if(proc_match = "true", "ProcessExecution",
    if(net_match = "true", "C2NetworkPattern", "StagingFileArtifact"))
| eval malware_family = if(matches(image_lower, "(?i)(beacon|beacon32|beacon64)\\.exe$"), "Cobalt Strike",
    if(matches(image_lower, "njrat\\.exe$") or matches(cmdline_lower, "njrat"), "njRAT",
    if(matches(cmdline_lower, "quasar"), "QuasarRAT",
    if(matches(cmdline_lower, "asyncrat"), "AsyncRAT",
    if(matches(cmdline_lower, "nanocore"), "NanoCore",
    if(matches(cmdline_lower, "remcos"), "Remcos",
    if(matches(cmdline_lower, "meterpreter"), "Meterpreter",
    if(matches(cmdline_lower, "cobalt"), "Cobalt Strike",
    if(net_match = "true" and dst_port = 50050, "Cobalt Strike (Teamserver default)",
    if(net_match = "true" and dst_port = 4444, "Metasploit default listener",
    if(net_match = "true" and dst_port = 31337, "Back Orifice/Elite",
    if(file_match = "true", "Commodity Malware Staging",
    "Unknown Commodity Malware"))))))))))))
| fields _time, %"metadata.deviceHostName", %"fields.User", %"fields.Image", %"fields.CommandLine", %"fields.DestinationIp", %"fields.DestinationPort", %"fields.TargetFilename", malware_family, detection_branch
| sort by _time desc
high severity medium confidence

Sumo Logic detection covering three behavioral branches for T1588.001 using Sysmon-sourced logs: process creation matching known commodity RAT binary names or malware framework command-line strings; LOLBin processes connecting to known C2/RAT listener ports on non-RFC1918 IPs; script interpreters staging binary payloads with .bin/.dat/.tmp extensions to user-writable Windows paths. Requires Sysmon custom field parsing in Sumo Logic field extraction rules (FERs) for Image, CommandLine, TargetFilename, DestinationIp, DestinationPort.

Data Sources

Sysmon logs forwarded to Sumo Logic via Installed Collector or Cloud-to-CloudSumo Logic Cloud SIEM Enterprise (CSE) normalized Windows endpoint records

Required Tables

Raw Sysmon/Windows Event Log source datasec_record index (CSE normalized records)

False Positives & Tuning

  • Authorised offensive security tooling (licensed Cobalt Strike, Metasploit, Sliver C2) used in red team engagements — coordinate with security operations to create scheduled suppression rules for known red team host names and engagement time windows
  • Software packaging or installer frameworks (NSIS, WiX, InstallShield) that invoke cmd.exe or PowerShell as part of the install process and write binary payload files to ProgramData or AppData paths
  • Remote admin and RMM tools (ConnectWise, TeamViewer, Datto, Kaseya) running via svchost-hosted service DLLs that communicate on non-standard high ports — build a lookup table of authorised RMM destination IPs for suppression
Download portable Sigma rule (.yml)

Other platforms for T1588.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate njRAT/QuasarRAT Binary Name Pattern

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in 'njrat.exe', CommandLine 'njrat.exe /all'. Security Event ID 4688 (if command line auditing enabled). Prefetch entry NJRAT.EXE-*.pf created in C:\Windows\Prefetch\.

  2. Test 2Beacon-Pattern Network Connection to Non-Standard Port

    Expected signal: Sysmon Event ID 3: Multiple Network Connection events from powershell.exe to 192.0.2.1:4444 with ~10 second intervals. Security Event ID 4688 for the PowerShell process creation. Connection attempts will fail (192.0.2.1 is RFC 5737 documentation range) but process and network events fire regardless.

  3. Test 3Infostealer Credential Target Access Simulation

    Expected signal: Sysmon Event ID 10 (Process Access) if Chrome is running and the Login Data file is locked. Sysmon Event ID 11 or Windows file access auditing events for the Login Data file access by powershell.exe. PowerShell ScriptBlock Log Event ID 4104 with the script content referencing the credential database path.

  4. Test 4Cobalt Strike Default C2 Port Connection Attempt

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to 198.51.100.1:50050. The connection attempt will fail (RFC 5737 test range) but the connection attempt event fires. Security Event ID 4688 for the PowerShell process. DNS query may be logged if name resolution was attempted.

  5. Test 5Commodity Malware Dynamic DNS Resolution

    Expected signal: Sysmon Event ID 22 (DNS Query): QueryName='test.no-ip.org', Image ends in 'powershell.exe'. Network connection log may show the DNS resolver query. PowerShell ScriptBlock Log Event ID 4104 with the DNS resolution command.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1588.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1587.001MalwareT1566PhishingT1566.001Spearphishing AttachmentT1105Ingress Tool TransferT1055Process InjectionT1071.001Web ProtocolsT1041Exfiltration Over C2 ChannelT1539Steal Web Session CookieT1555Credentials from Password StoresT1543.003Windows ServiceT1547.001Registry Run Keys / Startup Folder

Same Tactic: Resource Development

Popular Detections