Detect Tool in Google Chronicle
Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary but was not originally intended for those purposes (e.g., PsExec, Mimikatz, Cobalt Strike). Adversaries may obtain tools to support their operations — including post-compromise execution, lateral movement, credential access, and discovery. Detection of this technique pivots from observing tool acquisition (which occurs on adversary infrastructure, outside the victim environment) to detecting the PRESENCE and EXECUTION of known offensive tools within the environment: dual-use administration utilities, credential access tools, post-exploitation frameworks, network scanners, and Active Directory reconnaissance tools. Real-world examples include DarkVishnya using Impacket and PsExec, Turla customizing Mimikatz, Magic Hound deploying Havij and sqlmap, Kimsuky using Nirsoft WebBrowserPassView, and Storm-1811 deploying RMM software and commodity malware.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.002 Tool
- Canonical reference
- https://attack.mitre.org/techniques/T1588/002/
YARA-L Detection Query
rule T1588_002_offensive_tool {
meta:
author = "Detection Engineering"
description = "Detects execution of known offensive security tools"
severity = "high"
confidence = "medium"
mitre_attack = "T1588.002"
reference = "https://attack.mitre.org/techniques/T1588/002/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)(mimikatz|rubeus|bloodhound|sharphound|cobalt|meterpreter|crackmapexec|impacket)`) or
re.regex($e.target.process.command_line, `(?i)(invoke-mimikatz|invoke-bloodhound|\-enc\s|\-encoded\s|bypass)`)
)
condition:
$e
}Google Chronicle YARA-L 2.0 detection for Tool. Detects the presence and execution of known offensive tools obtained by adversaries per MITRE T1588.002. Covers three detection surfaces: (1) known offensive executable filenames (Mimikatz, Rubeus, Sh
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testing engagements using commercial offensive tools
- Internal red team exercises with pre-approved scope and tooling
- Security researchers analyzing offensive capabilities in isolated lab environments
- IT administrators using dual-use network tools for authorized diagnostics
Other platforms for T1588.002
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz Credential Extraction — sekurlsa::logonpasswords
Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'privilege::debug' and 'sekurlsa::logonpasswords'. Sysmon Event ID 10: Process Access with TargetImage=lsass.exe, GrantedAccess=0x1010 or 0x1410 from the mimikatz.exe process. Security Event ID 4688 (if command line auditing enabled). Windows Defender may generate Event ID 1116 or 1117 (malware detection) in Microsoft-Windows-Windows Defender/Operational.
- Test 2SharpHound Active Directory Collection
Expected signal: Sysmon Event ID 1: Process Create with Image=SharpHound.exe, CommandLine containing '-c All' and '--outputdirectory'. Sysmon Event ID 3: High-volume network connections to domain controller(s) on ports 389 (LDAP), 636 (LDAPS), and 445 (SMB). Sysmon Event ID 11: Multiple JSON/ZIP file creation events in the output directory. Security Event IDs 4662 (directory service object access) and 5136 (directory service object modification) on domain controllers.
- Test 3Rubeus Kerberoasting — Service Ticket Request
Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe, CommandLine containing 'kerberoast' and '/outfile'. Security Event ID 4769 on the domain controller showing RC4 encrypted service ticket requests. Sysmon Event ID 11: File creation of kerberoast hash output file.
- Test 4LaZagne Password Recovery from Browser and System
Expected signal: Sysmon Event ID 1: Process Create with Image=LaZagne.exe or lazagne.exe, CommandLine containing 'all' and '-oA'. Sysmon Event ID 11: File creation events in %TEMP%\lazagne_results for each module output file. Sysmon Event ID 10: Possible process access events against browser processes (chrome.exe, firefox.exe) if they are running. Registry access to HKCU\Software\Microsoft\Internet Explorer\IntelliForms and browser profile directories.
- Test 5PsExec Remote Execution to Lateral Host
Expected signal: Source host — Sysmon Event ID 1: Process Create with Image=PsExec.exe and target host argument. Sysmon Event ID 3: SMB connection (port 445) to target host. Target host — Sysmon Event ID 1: cmd.exe process create with parent PSEXESVC.exe. Security Event ID 7045 (new service installed) for PSEXESVC on the target host. Security Event ID 4624 (logon type 3, network) on target host with the admin credentials used.
References (12)
- https://attack.mitre.org/techniques/T1588/002/
- https://www.sentinelone.com/labs/top-tier-target-what-it-takes-to-defend-a-cybersecurity-company-from-todays-adversaries/
- https://www.recordedfuture.com/blog/identifying-cobalt-strike-servers
- https://www.forescout.com/resources/analysis-of-conti-leaks/
- https://securelist.com/darkvishnya/89169/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1588.002/T1588.002.md
- https://github.com/gentilkiwi/mimikatz
- https://github.com/BloodHoundAD/SharpHound
- https://github.com/GhostPack/Rubeus
- https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
- https://github.com/AlessandroZ/LaZagne
- https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation
Unlock Pro Content
Get the full detection package for T1588.002 including response playbook, investigation guide, and atomic red team tests.