T1588.002 Splunk · SPL

Detect Tool in Splunk

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary but was not originally intended for those purposes (e.g., PsExec, Mimikatz, Cobalt Strike). Adversaries may obtain tools to support their operations — including post-compromise execution, lateral movement, credential access, and discovery. Detection of this technique pivots from observing tool acquisition (which occurs on adversary infrastructure, outside the victim environment) to detecting the PRESENCE and EXECUTION of known offensive tools within the environment: dual-use administration utilities, credential access tools, post-exploitation frameworks, network scanners, and Active Directory reconnaissance tools. Real-world examples include DarkVishnya using Impacket and PsExec, Turla customizing Mimikatz, Magic Hound deploying Havij and sqlmap, Kimsuky using Nirsoft WebBrowserPassView, and Storm-1811 deploying RMM software and commodity malware.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.002 Tool
Canonical reference
https://attack.mitre.org/techniques/T1588/002/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval Image_lower=lower(Image)
| eval CommandLine_lower=lower(CommandLine)
| eval ToolCategory=case(
    match(Image_lower, "(mimikatz|mimi32|wce\.exe|wce32|lazagne|kekeo|gsecdump|fgdump|nanodump|safetydump|sharpdump)"),
      "CredentialAccessTool",
    match(Image_lower, "(rubeus\.exe)"),
      "KerberosAttackTool",
    match(Image_lower, "(sharphound|bloodhound|adexplorer|adexplorer64)"),
      "ADReconTool",
    match(Image_lower, "(psexec\.exe|psexec64\.exe|paexec\.exe)"),
      "RemoteExecTool",
    match(Image_lower, "(rvtools\.exe|advanced_ip_scanner|advanced_port_scanner|netscan)"),
      "InventoryReconTool",
    match(CommandLine_lower, "(sekurlsa::|lsadump::|kerberos::|privilege::debug|invoke-mimikatz|dcsync)"),
      "MimikatzCommand",
    match(CommandLine_lower, "(sharphound|-collectionmethod|invoke-bloodhound)"),
      "BloodHoundCollection",
    match(CommandLine_lower, "(rubeus kerberoast|rubeus asreproast|rubeus dump|rubeus s4u|invoke-kerberoast|invoke-asreproast|getuserspns)"),
      "KerberosAttack",
    match(CommandLine_lower, "(invoke-smbexec|invoke-wmiexec|invoke-allchecks|find-localadminaccess|get-gpppassword|get-gppautologon)"),
      "PostExploitFramework",
    match(CommandLine_lower, "(beacon\.exe|msfstager|msfpayload|invoke-meterpreter)"),
      "C2Framework",
    1=1, null()
  )
| where isnotnull(ToolCategory)
| eval IsCredentialTool=if(match(ToolCategory, "(CredentialAccess|Mimikatz|Kerberos)"), 1, 0)
| eval IsReconTool=if(match(ToolCategory, "(ADRecon|BloodHound|Inventory)"), 1, 0)
| eval IsExecTool=if(match(ToolCategory, "(RemoteExec|PostExploit|C2)"), 1, 0)
| eval SeverityScore=IsCredentialTool*3 + IsReconTool*2 + IsExecTool*2
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, ToolCategory, IsCredentialTool, IsReconTool, IsExecTool, SeverityScore, Hashes
| sort - _time
high severity medium confidence

Detects the execution of known offensive tools associated with T1588.002 (adversary tool acquisition) using Sysmon Event ID 1 (Process Create). Categorizes detections into CredentialAccessTool, KerberosAttackTool, ADReconTool, RemoteExecTool, InventoryReconTool, and command-level signatures for Mimikatz, BloodHound collection, Kerberos attacks, post-exploitation frameworks, and C2 stagers. Assigns a SeverityScore (credential tools weighted highest at 3) to assist analyst prioritization. Covers both executable name matching and command-line signature matching to catch renamed binaries that expose themselves through their arguments.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Authorized red team or penetration test engagements using Mimikatz, Rubeus, BloodHound, or PsExec with prior change ticket — coordinate with security team on expected activity windows
  • IT administrators using PsExec, ADExplorer, or RVTools for legitimate system administration, remote execution, or AD inventory tasks — these are common dual-use tools in enterprise environments
  • Security operations tooling that bundles or executes named tools for endpoint assessment (CrowdStrike, Tenable, Rapid7 InsightAgent) — baseline process ancestry from known security product parent processes
  • Developer or security researcher workstations running offensive security tools as part of authorized research — document and baseline these devices separately from production endpoints
  • Vendor-supplied diagnostic scripts that include Sysinternals tools (PsExec, procdump) as part of support engagements — verify with vendor and correlate with active support tickets
Download portable Sigma rule (.yml)

Other platforms for T1588.002

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Credential Extraction — sekurlsa::logonpasswords

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe, CommandLine containing 'privilege::debug' and 'sekurlsa::logonpasswords'. Sysmon Event ID 10: Process Access with TargetImage=lsass.exe, GrantedAccess=0x1010 or 0x1410 from the mimikatz.exe process. Security Event ID 4688 (if command line auditing enabled). Windows Defender may generate Event ID 1116 or 1117 (malware detection) in Microsoft-Windows-Windows Defender/Operational.

  2. Test 2SharpHound Active Directory Collection

    Expected signal: Sysmon Event ID 1: Process Create with Image=SharpHound.exe, CommandLine containing '-c All' and '--outputdirectory'. Sysmon Event ID 3: High-volume network connections to domain controller(s) on ports 389 (LDAP), 636 (LDAPS), and 445 (SMB). Sysmon Event ID 11: Multiple JSON/ZIP file creation events in the output directory. Security Event IDs 4662 (directory service object access) and 5136 (directory service object modification) on domain controllers.

  3. Test 3Rubeus Kerberoasting — Service Ticket Request

    Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe, CommandLine containing 'kerberoast' and '/outfile'. Security Event ID 4769 on the domain controller showing RC4 encrypted service ticket requests. Sysmon Event ID 11: File creation of kerberoast hash output file.

  4. Test 4LaZagne Password Recovery from Browser and System

    Expected signal: Sysmon Event ID 1: Process Create with Image=LaZagne.exe or lazagne.exe, CommandLine containing 'all' and '-oA'. Sysmon Event ID 11: File creation events in %TEMP%\lazagne_results for each module output file. Sysmon Event ID 10: Possible process access events against browser processes (chrome.exe, firefox.exe) if they are running. Registry access to HKCU\Software\Microsoft\Internet Explorer\IntelliForms and browser profile directories.

  5. Test 5PsExec Remote Execution to Lateral Host

    Expected signal: Source host — Sysmon Event ID 1: Process Create with Image=PsExec.exe and target host argument. Sysmon Event ID 3: SMB connection (port 445) to target host. Target host — Sysmon Event ID 1: cmd.exe process create with parent PSEXESVC.exe. Security Event ID 7045 (new service installed) for PSEXESVC on the target host. Security Event ID 4624 (logon type 3, network) on target host with the admin credentials used.

Last updated: 2026-03-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1588.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1588.001MalwareT1587.001MalwareT1003OS Credential DumpingT1003.001LSASS MemoryT1558.003KerberoastingT1069Permission Groups DiscoveryT1021.002SMB/Windows Admin SharesT1570Lateral Tool TransferT1105Ingress Tool TransferT1562.001Disable or Modify Tools

Same Tactic: Resource Development

Popular Detections