T1588.002 Tool Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let KnownOffensiveTools = dynamic([
  // Credential access tools
  "mimikatz.exe", "mimi32.exe", "mimimeme.exe",
  "wce.exe", "wce32.exe", "fgdump.exe", "gsecdump.exe",
  "lazagne.exe", "kekeo.exe",
  // Kerberos attack tools
  "rubeus.exe",
  // AD recon tools
  "sharphound.exe", "bloodhound.exe", "adexplorer.exe", "adexplorer64.exe",
  // Remote execution tools
  "psexec.exe", "psexec64.exe", "paexec.exe",
  // Memory dumpers
  "nanodump.exe", "safetydump.exe", "sharpdump.exe",
  // Network scanners
  "advanced_ip_scanner.exe", "advanced_port_scanner.exe",
  // Misc dual-use tools known for adversary use
  "rvtools.exe", "netscan.exe"
]);
let OffensiveCommandSignatures = dynamic([
  // Mimikatz commands
  "sekurlsa::", "lsadump::", "kerberos::", "privilege::debug",
  "invoke-mimikatz", "dcsync",
  // BloodHound/SharpHound collection
  "sharphound", "-collectionmethod", "invoke-bloodhound",
  // Kerberos attacks
  "rubeus kerberoast", "rubeus asreproast", "rubeus dump", "rubeus s4u",
  "invoke-kerberoast", "invoke-asreproast", "getuserspns",
  // Impacket-style invocations
  "invoke-smbexec", "invoke-wmiexec",
  // PowerSploit / PowerShell post-exploit frameworks
  "invoke-meterpreter", "get-gpppassword", "get-gppautologon",
  "invoke-allchecks", "find-localadminaccess",
  // Cobalt Strike / C2 beaconing artifacts
  "beacon.exe", "artifact.exe",
  // Metasploit artifacts
  "msfstager", "msfpayload"
]);
let OffensivePathKeywords = dynamic([
  "\\mimikatz", "\\lazagne", "\\rubeus", "\\sharphound", "\\bloodhound",
  "\\impacket", "\\crackmapexec", "\\powersploit", "\\powerempire",
  "\\cobaltstrike", "\\cobalt_strike", "\\metasploit",
  "\\invoke-mimikatz", "\\kekeo", "\\sharpkatz"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (KnownOffensiveTools)
    or ProcessCommandLine has_any (OffensiveCommandSignatures)
    or FolderPath has_any (OffensivePathKeywords)
| extend DetectionCategory = case(
    FileName has_any (KnownOffensiveTools), "KnownOffensiveToolExecutable",
    ProcessCommandLine has_any (OffensiveCommandSignatures), "OffensiveCommandSignature",
    FolderPath has_any (OffensivePathKeywords), "SuspiciousToolPath",
    "Unknown"
  )
| extend CredentialTool = FileName has_any ("mimikatz.exe", "mimi32.exe", "wce.exe", "lazagne.exe", "kekeo.exe", "fgdump.exe", "gsecdump.exe")
    or ProcessCommandLine has_any ("sekurlsa::", "lsadump::", "invoke-mimikatz", "dcsync")
| extend KerberosTool = FileName has_any ("rubeus.exe")
    or ProcessCommandLine has_any ("rubeus kerberoast", "rubeus asreproast", "rubeus dump", "invoke-kerberoast", "getuserspns")
| extend ADReconTool = FileName has_any ("sharphound.exe", "bloodhound.exe", "adexplorer.exe", "adexplorer64.exe", "rvtools.exe")
    or ProcessCommandLine has_any ("sharphound", "-collectionmethod", "invoke-bloodhound")
| extend LateralMovementTool = FileName has_any ("psexec.exe", "psexec64.exe", "paexec.exe")
    or ProcessCommandLine has_any ("invoke-smbexec", "invoke-wmiexec")
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine,
          DetectionCategory, CredentialTool, KerberosTool, ADReconTool, LateralMovementTool,
          SHA256, MD5
| sort by Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Authorized red team or penetration test engagements using Mimikatz, Rubeus, BloodHound, or PsExec with prior change ticket — coordinate with security team on expected activity windows
IT administrators using PsExec, ADExplorer, or RVTools for legitimate system administration, remote execution, or AD inventory tasks — these are common dual-use tools in enterprise environments
Security operations tooling that bundles or executes named tools for endpoint assessment (CrowdStrike, Tenable, Rapid7 InsightAgent) — baseline process ancestry from known security product parent processes
Developer or security researcher workstations running offensive security tools as part of authorized research — document and baseline these devices separately from production endpoints
Vendor-supplied diagnostic scripts that include Sysinternals tools (PsExec, procdump) as part of support engagements — verify with vendor and correlate with active support tickets

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval CommandLine_lower=lower(CommandLine)
| eval ToolCategory=case(
    match(Image_lower, "(mimikatz|mimi32|wce\.exe|wce32|lazagne|kekeo|gsecdump|fgdump|nanodump|safetydump|sharpdump)"),
      "CredentialAccessTool",
    match(Image_lower, "(rubeus\.exe)"),
      "KerberosAttackTool",
    match(Image_lower, "(sharphound|bloodhound|adexplorer|adexplorer64)"),
      "ADReconTool",
    match(Image_lower, "(psexec\.exe|psexec64\.exe|paexec\.exe)"),
      "RemoteExecTool",
    match(Image_lower, "(rvtools\.exe|advanced_ip_scanner|advanced_port_scanner|netscan)"),
      "InventoryReconTool",
    match(CommandLine_lower, "(sekurlsa::|lsadump::|kerberos::|privilege::debug|invoke-mimikatz|dcsync)"),
      "MimikatzCommand",
    match(CommandLine_lower, "(sharphound|-collectionmethod|invoke-bloodhound)"),
      "BloodHoundCollection",
    match(CommandLine_lower, "(rubeus kerberoast|rubeus asreproast|rubeus dump|rubeus s4u|invoke-kerberoast|invoke-asreproast|getuserspns)"),
      "KerberosAttack",
    match(CommandLine_lower, "(invoke-smbexec|invoke-wmiexec|invoke-allchecks|find-localadminaccess|get-gpppassword|get-gppautologon)"),
      "PostExploitFramework",
    match(CommandLine_lower, "(beacon\.exe|msfstager|msfpayload|invoke-meterpreter)"),
      "C2Framework",
    1=1, null()
  )
| where isnotnull(ToolCategory)
| eval IsCredentialTool=if(match(ToolCategory, "(CredentialAccess|Mimikatz|Kerberos)"), 1, 0)
| eval IsReconTool=if(match(ToolCategory, "(ADRecon|BloodHound|Inventory)"), 1, 0)
| eval IsExecTool=if(match(ToolCategory, "(RemoteExec|PostExploit|C2)"), 1, 0)
| eval SeverityScore=IsCredentialTool*3 + IsReconTool*2 + IsExecTool*2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolCategory, IsCredentialTool, IsReconTool, IsExecTool, SeverityScore, Hashes
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized red team or penetration test engagements using Mimikatz, Rubeus, BloodHound, or PsExec with prior change ticket — coordinate with security team on expected activity windows
IT administrators using PsExec, ADExplorer, or RVTools for legitimate system administration, remote execution, or AD inventory tasks — these are common dual-use tools in enterprise environments
Security operations tooling that bundles or executes named tools for endpoint assessment (CrowdStrike, Tenable, Rapid7 InsightAgent) — baseline process ancestry from known security product parent processes
Developer or security researcher workstations running offensive security tools as part of authorized research — document and baseline these devices separately from production endpoints
Vendor-supplied diagnostic scripts that include Sysinternals tools (PsExec, procdump) as part of support engagements — verify with vendor and correlate with active support tickets

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : ("mimikatz.exe", "rubeus.exe", "cobalt*", "meterpreter*", "psexec.exe",
                      "sharphound.exe", "bloodhound.exe", "crackmapexec.py", "impacket*")
  or process.command_line : ("*-enc *", "*invoke-mimikatz*", "*invoke-bloodhound*")

high severity medium confidence

Data Sources

Elastic Endpoint Security Process events

Required Tables

logs-endpoint.events.process.*

False Positives

Authorized penetration testers using offensive security tools
Red team exercises using commercial security testing tools
Security researchers analyzing offensive tools in isolated environments
IT administrators using legitimate dual-use network tools for troubleshooting

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS HostIP, username,
  "Image" AS ProcessImage, "CommandLine",
  "ParentImage" AS ParentProcess,
  CASE
    WHEN "Image" ILIKE '%mimikatz%' OR "CommandLine" ILIKE '%invoke-mimikatz%' THEN 100
    WHEN "Image" ILIKE '%cobalt%' OR "Image" ILIKE '%meterpreter%' THEN 95
    WHEN "Image" ILIKE '%bloodhound%' OR "Image" ILIKE '%sharphound%' THEN 85
    WHEN "CommandLine" ILIKE '%-enc %' OR "CommandLine" ILIKE '%bypass%' THEN 70
    ELSE 50
  END AS RiskScore,
  CASE
    WHEN "Image" ILIKE '%mimikatz%' THEN 'Credential Dumping Tool'
    WHEN "Image" ILIKE '%cobalt%' THEN 'C2 Framework'
    WHEN "Image" ILIKE '%bloodhound%' THEN 'AD Recon Tool'
    ELSE 'Offensive Tool'
  END AS ToolCategory
FROM events
WHERE eventid = 1
  AND (
    "Image" ILIKE '%mimikatz%' OR "Image" ILIKE '%rubeus%' OR "Image" ILIKE '%bloodhound%'
    OR "Image" ILIKE '%sharphound%' OR "Image" ILIKE '%cobalt%' OR "Image" ILIKE '%meterpreter%'
    OR "CommandLine" ILIKE '%invoke-mimikatz%' OR "CommandLine" ILIKE '%invoke-bloodhound%'
    OR "CommandLine" ILIKE '%-encoded %' OR "CommandLine" ILIKE '%-enc %'
  )
  AND LOGSOURCETYPENAME(devicetype) ILIKE '%sysmon%'
ORDER BY RiskScore DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Sysmon Event ID 1 Windows Security Event Log

Required Tables

events

False Positives

Authorized penetration testing using offensive security tools
Red team exercises using dual-use security tools
Security researchers analyzing offensive tools in isolated labs
IT administrators using dual-use tools for authorized troubleshooting

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*endpoint*
| json auto
| where EventCode = 1
| eval CommandLower = lower(CommandLine)
| eval ImageLower = lower(Image)
| where matches(ImageLower, "mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket")
   or matches(CommandLower, "invoke-mimikatz|invoke-bloodhound|-encoded |-enc |bypass")
| eval ToolCategory = if(matches(ImageLower, "mimikatz"), "Credential Dumping",
    if(matches(ImageLower, "bloodhound|sharphound"), "AD Reconnaissance",
    if(matches(ImageLower, "cobalt|meterpreter"), "C2 Framework", "Offensive Tool")))
| eval RiskScore = if(ToolCategory = "Credential Dumping", 100,
    if(ToolCategory = "C2 Framework", 95,
    if(ToolCategory = "AD Reconnaissance", 85, 70)))
| stats count, values(CommandLine) AS Commands by _sourceHost, User, ToolCategory, RiskScore
| sort by RiskScore desc

high severity medium confidence

Data Sources

Sysmon Event ID 1

Required Tables

_sourceCategory=*sysmon*

False Positives

Authorized penetration testers running scheduled security assessments
Red team exercises using commercial offensive security tooling
Security researchers analyzing malware in isolated lab environments
Network administrators using dual-use tools for authorized diagnostics

Google Chronicle / SecOps

yaral

rule T1588_002_offensive_tool {
  meta:
    author = "Detection Engineering"
    description = "Detects execution of known offensive security tools"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1588.002"
    reference = "https://attack.mitre.org/techniques/T1588/002/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket)`) or
      re.regex($e.target.process.command_line, `(?i)(invoke-mimikatz|invoke-bloodhound|\-enc\s|\-encoded\s|bypass)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Endpoint telemetry

Required Tables

PROCESS_LAUNCH

False Positives

Authorized penetration testing engagements using commercial offensive tools
Internal red team exercises with pre-approved scope and tooling
Security researchers analyzing offensive capabilities in isolated lab environments
IT administrators using dual-use network tools for authorized diagnostics

CrowdStrike LogScale (CQL)

cql

#event_simpleName in ("ProcessRollup2", "SyntheticProcessRollup2")
| ImageFileName = /(?i)(mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket)/
  OR CommandLine = /(?i)(invoke-mimikatz|invoke-bloodhound|\-enc\s|\-encoded\s|bypass)/
| groupBy([aid, ComputerName, UserName, ImageFileName, CommandLine], function=[count(as=EventCount), min(timestamp, as=FirstSeen)])
| case {
    ImageFileName = /(?i)(mimikatz|rubeus)/ => ToolCategory := "Credential Harvesting"; RiskScore := "Critical";
    ImageFileName = /(?i)(bloodhound|sharphound)/ => ToolCategory := "AD Recon"; RiskScore := "High";
    ImageFileName = /(?i)(cobalt|meterpreter)/ => ToolCategory := "C2 Framework"; RiskScore := "Critical";
    CommandLine = /(?i)(invoke-mimikatz)/ => ToolCategory := "Credential Harvesting"; RiskScore := "Critical";
    * => ToolCategory := "Offensive Tool"; RiskScore := "High";
  }
| table([ComputerName, UserName, ImageFileName, ToolCategory, CommandLine, EventCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Process events

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Authorized penetration testing engagements using approved offensive tooling
Internal red team exercises with documented and approved scope
Security researchers in isolated environments analyzing offensive tool capabilities
IT administrators using dual-use network diagnostic tools for authorized tasks

Tool

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections