T1588.005

Exploits

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find, modify, or purchase exploits from online sources, exploit vendors, criminal marketplaces (including exploit kits), or from other threat actors. Adversaries such as Ember Bear have obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories, while Kimsuky has obtained exploit code for various CVEs. Acquired exploits may be used across multiple phases of the adversary lifecycle including initial access, privilege escalation, defense evasion, credential access, and lateral movement. Because the acquisition of exploits occurs entirely on adversary-controlled infrastructure, direct detection is not possible from victim telemetry — detection must focus on observable indicators when those acquired exploits are deployed.

Microsoft Sentinel / Defender

kusto

let ExploitableApplications = dynamic([
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "mspub.exe", "onenote.exe", "msaccess.exe",
    "acrord32.exe", "acrobat.exe",
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "java.exe", "javaw.exe", "javaws.exe"
]);
let SuspiciousChildProcesses = dynamic([
    "cmd.exe", "powershell.exe", "pwsh.exe",
    "wscript.exe", "cscript.exe", "mshta.exe",
    "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "bitsadmin.exe", "msiexec.exe", "wmic.exe",
    "msbuild.exe", "installutil.exe", "regasm.exe",
    "regsvcs.exe", "schtasks.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (ExploitableApplications)
| where FileName has_any (SuspiciousChildProcesses)
| extend HasNetworkIndicator = ProcessCommandLine has_any (
    "http://", "https://", "ftp://",
    "Invoke-WebRequest", "Net.WebClient", "DownloadString", "DownloadFile",
    "Start-BitsTransfer", "curl ", "wget "
)
| extend HasCredentialAccess = ProcessCommandLine has_any (
    "mimikatz", "lsass", "sekurlsa", "ntds", "procdump",
    "comsvcs", "MiniDump", "vaultcmd", "credential"
)
| extend HasPersistence = ProcessCommandLine has_any (
    "schtasks", "reg add", "\\CurrentVersion\\Run",
    "startup", "userinit", "sc create", "sc config"
)
| extend HasLateralMovement = ProcessCommandLine has_any (
    "psexec", "wmiexec", "winrm", "net use",
    "Enter-PSSession", "Invoke-Command", "ssh "
)
| extend ExploitScore = toint(HasNetworkIndicator) + toint(HasCredentialAccess)
    + toint(HasPersistence) + toint(HasLateralMovement) + 1
| project
    Timestamp, DeviceName, AccountName,
    ExploitableParent = InitiatingProcessFileName,
    ParentCmdLine = InitiatingProcessCommandLine,
    SuspiciousChild = FileName,
    ChildCmdLine = ProcessCommandLine,
    HasNetworkIndicator, HasCredentialAccess, HasPersistence, HasLateralMovement,
    ExploitScore
| sort by ExploitScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Office macros used in legitimate business automation (e.g., Excel VBA launching cmd.exe for data pipeline exports, report generation, or ERP integrations)
Browser helper objects, enterprise browser extensions, or Single Sign-On agents that legitimately spawn child processes for print, download, clipboard, or authentication workflows
PDF processing integrations where Acrobat invokes system utilities for digital signature workflows, document conversion pipelines, or secure print operations
Java-based enterprise applications (ERP, HR, financial systems) that legitimately spawn system commands for file operations, external tool invocation, or OS-level integration tasks

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (ParentImage="*\\winword.exe" OR ParentImage="*\\excel.exe" OR ParentImage="*\\powerpnt.exe"
   OR ParentImage="*\\outlook.exe" OR ParentImage="*\\mspub.exe" OR ParentImage="*\\onenote.exe"
   OR ParentImage="*\\msaccess.exe" OR ParentImage="*\\acrord32.exe" OR ParentImage="*\\acrobat.exe"
   OR ParentImage="*\\chrome.exe" OR ParentImage="*\\firefox.exe"
   OR ParentImage="*\\msedge.exe" OR ParentImage="*\\iexplore.exe"
   OR ParentImage="*\\java.exe" OR ParentImage="*\\javaw.exe" OR ParentImage="*\\javaws.exe")
  (Image="*\\cmd.exe" OR Image="*\\powershell.exe" OR Image="*\\pwsh.exe"
   OR Image="*\\wscript.exe" OR Image="*\\cscript.exe" OR Image="*\\mshta.exe"
   OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\certutil.exe"
   OR Image="*\\bitsadmin.exe" OR Image="*\\msiexec.exe" OR Image="*\\wmic.exe"
   OR Image="*\\msbuild.exe" OR Image="*\\installutil.exe" OR Image="*\\regasm.exe")
| eval CommandLineLower=lower(CommandLine)
| eval NetworkIndicator=if(match(CommandLineLower, "(http://|https://|ftp://|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget )"), 1, 0)
| eval CredentialAccess=if(match(CommandLineLower, "(mimikatz|lsass|sekurlsa|ntds|procdump|comsvcs|minidump|vaultcmd)"), 1, 0)
| eval PersistenceIndicator=if(match(CommandLineLower, "(schtasks|reg add|currentversion.run|startup|userinit|sc create|sc config)"), 1, 0)
| eval LateralMovement=if(match(CommandLineLower, "(psexec|wmiexec|winrm|net use|enter-pssession|invoke-command)"), 1, 0)
| eval ExploitScore=NetworkIndicator + CredentialAccess + PersistenceIndicator + LateralMovement + 1
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
        NetworkIndicator, CredentialAccess, PersistenceIndicator, LateralMovement, ExploitScore
| sort - ExploitScore - _time

high severity medium confidence

Data Sources

Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Office macros used in legitimate business automation (e.g., Excel VBA launching cmd.exe for data exports, report generation, or ERP integrations)
Browser extensions, enterprise SSO agents, or print/download helper objects that legitimately spawn child processes
PDF processing integrations where Acrobat invokes system utilities for digital signature validation, document conversion, or secure print workflows
Java-based enterprise applications (ERP, HR, financial platforms) that spawn OS-level commands for file operations or external integrations

Elastic Security (EQL)

eql

process where event.type == "start" and
  process.parent.name : (
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "mspub.exe", "onenote.exe", "msaccess.exe",
    "acrord32.exe", "acrobat.exe",
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "java.exe", "javaw.exe", "javaws.exe"
  ) and
  process.name : (
    "cmd.exe", "powershell.exe", "pwsh.exe",
    "wscript.exe", "cscript.exe", "mshta.exe",
    "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "bitsadmin.exe", "msiexec.exe", "wmic.exe",
    "msbuild.exe", "installutil.exe", "regasm.exe",
    "regsvcs.exe", "schtasks.exe"
  )
  /* Priority filter: require at least one high-confidence indicator to reduce noise */
  and process.command_line : (
    "*http://*", "*https://*", "*ftp://*",
    "*Invoke-WebRequest*", "*Net.WebClient*", "*DownloadString*", "*DownloadFile*",
    "*Start-BitsTransfer*", "*curl *", "*wget *",
    "*mimikatz*", "*sekurlsa*", "*lsass*", "*ntds*",
    "*procdump*", "*comsvcs*", "*MiniDump*", "*vaultcmd*",
    "*schtasks*", "*reg add*", "*CurrentVersion\\Run*",
    "*sc create*", "*sc config*", "*startup*", "*userinit*",
    "*psexec*", "*wmiexec*", "*winrm*", "*net use*",
    "*Enter-PSSession*", "*Invoke-Command*"
  )

high severity high confidence

Data Sources

Elastic Endpoint Security (Elastic Agent) Winlogbeat with Sysmon Elastic Defend (formerly Endgame)

Required Tables

logs-endpoint.events.process-* winlogbeat-* .ds-logs-endpoint.events.process-*

False Positives

Legitimate Office macros executing PowerShell for IT automation tasks such as data export, report generation, or SharePoint interaction via approved scripts
Adobe Acrobat or Reader launching cmd.exe or msiexec.exe during plugin installation, print driver configuration, or PDF conversion workflows
Enterprise Java applications (e.g., Eclipse, IntelliJ, Confluence) spawning cmd.exe or PowerShell as part of build processes, Maven/Gradle tasks, or integrated terminal features
Browser-based enterprise tools (e.g., Citrix, SAP web clients) launching native executables as registered protocol handlers or helper applications
Chrome or Edge launching msiexec.exe for browser extension installation via enterprise policies

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  devicehostname AS ComputerName,
  username AS UserName,
  "ParentImage" AS ExploitableParent,
  "ParentCommandLine" AS ParentCmdLine,
  "Image" AS SuspiciousChild,
  "CommandLine" AS ChildCmdLine,
  CASE WHEN "CommandLine" ILIKE '%http://%'
    OR "CommandLine" ILIKE '%https://%'
    OR "CommandLine" ILIKE '%ftp://%'
    OR "CommandLine" ILIKE '%invoke-webrequest%'
    OR "CommandLine" ILIKE '%net.webclient%'
    OR "CommandLine" ILIKE '%downloadstring%'
    OR "CommandLine" ILIKE '%downloadfile%'
    OR "CommandLine" ILIKE '%start-bitstransfer%'
    OR "CommandLine" ILIKE '%curl %'
    OR "CommandLine" ILIKE '%wget %'
  THEN 1 ELSE 0 END AS NetworkIndicator,
  CASE WHEN "CommandLine" ILIKE '%mimikatz%'
    OR "CommandLine" ILIKE '%sekurlsa%'
    OR "CommandLine" ILIKE '%lsass%'
    OR "CommandLine" ILIKE '%ntds%'
    OR "CommandLine" ILIKE '%procdump%'
    OR "CommandLine" ILIKE '%comsvcs%'
    OR "CommandLine" ILIKE '%minidump%'
    OR "CommandLine" ILIKE '%vaultcmd%'
  THEN 1 ELSE 0 END AS CredentialAccess,
  CASE WHEN "CommandLine" ILIKE '%schtasks%'
    OR "CommandLine" ILIKE '%reg add%'
    OR "CommandLine" ILIKE '%currentversion%run%'
    OR "CommandLine" ILIKE '%sc create%'
    OR "CommandLine" ILIKE '%sc config%'
    OR "CommandLine" ILIKE '%userinit%'
  THEN 1 ELSE 0 END AS PersistenceIndicator,
  CASE WHEN "CommandLine" ILIKE '%psexec%'
    OR "CommandLine" ILIKE '%wmiexec%'
    OR "CommandLine" ILIKE '%winrm%'
    OR "CommandLine" ILIKE '%net use%'
    OR "CommandLine" ILIKE '%enter-pssession%'
    OR "CommandLine" ILIKE '%invoke-command%'
  THEN 1 ELSE 0 END AS LateralMovement
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 396
  AND QIDNAME(qid) = 'Process Create'
  AND (
    "ParentImage" ILIKE '%\\winword.exe'
    OR "ParentImage" ILIKE '%\\excel.exe'
    OR "ParentImage" ILIKE '%\\powerpnt.exe'
    OR "ParentImage" ILIKE '%\\outlook.exe'
    OR "ParentImage" ILIKE '%\\mspub.exe'
    OR "ParentImage" ILIKE '%\\onenote.exe'
    OR "ParentImage" ILIKE '%\\msaccess.exe'
    OR "ParentImage" ILIKE '%\\acrord32.exe'
    OR "ParentImage" ILIKE '%\\acrobat.exe'
    OR "ParentImage" ILIKE '%\\chrome.exe'
    OR "ParentImage" ILIKE '%\\firefox.exe'
    OR "ParentImage" ILIKE '%\\msedge.exe'
    OR "ParentImage" ILIKE '%\\iexplore.exe'
    OR "ParentImage" ILIKE '%\\java.exe'
    OR "ParentImage" ILIKE '%\\javaw.exe'
    OR "ParentImage" ILIKE '%\\javaws.exe'
  )
  AND (
    "Image" ILIKE '%\\cmd.exe'
    OR "Image" ILIKE '%\\powershell.exe'
    OR "Image" ILIKE '%\\pwsh.exe'
    OR "Image" ILIKE '%\\wscript.exe'
    OR "Image" ILIKE '%\\cscript.exe'
    OR "Image" ILIKE '%\\mshta.exe'
    OR "Image" ILIKE '%\\rundll32.exe'
    OR "Image" ILIKE '%\\regsvr32.exe'
    OR "Image" ILIKE '%\\certutil.exe'
    OR "Image" ILIKE '%\\bitsadmin.exe'
    OR "Image" ILIKE '%\\msiexec.exe'
    OR "Image" ILIKE '%\\wmic.exe'
    OR "Image" ILIKE '%\\msbuild.exe'
    OR "Image" ILIKE '%\\installutil.exe'
    OR "Image" ILIKE '%\\regasm.exe'
    OR "Image" ILIKE '%\\regsvcs.exe'
    OR "Image" ILIKE '%\\schtasks.exe'
  )
  AND starttime > NOW() - 86400000
ORDER BY
  NetworkIndicator + CredentialAccess + PersistenceIndicator + LateralMovement DESC,
  starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon via WinCollect or syslog QRadar DSM: Microsoft Windows (Sysmon EventID 1)

Required Tables

events (QRadar unified event store) LOGSOURCETYPEID 396 (Microsoft Windows Sysmon DSM)

False Positives

IT operations teams using Office macros to automate PowerShell-based patching, inventory, or configuration management workflows on managed endpoints
PDF reader applications launching certutil.exe or msiexec.exe during plugin update installation or font package setup routines
Browser-integrated enterprise single sign-on (SSO) helpers launching wscript.exe or cscript.exe to handle VBScript-based NTLM authentication prompts
Automated testing frameworks (Selenium, Playwright headless) driven by chrome.exe or msedge.exe that spawn cmd.exe or PowerShell to execute test teardown scripts
Java-based build servers (Jenkins, TeamCity agents) using javaw.exe as the parent that legitimately invoke msbuild.exe or msiexec.exe during CI pipeline execution

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* OR _sourceCategory=*winevent*sysmon*
| where EventCode = "1" OR EventID = "1"
| parse field=ParentImage "*\\*" as _parent_dir, parent_process nodrop
| parse field=Image "*\\*" as _child_dir, child_process nodrop
| where parent_process in (
    "winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe",
    "mspub.exe", "onenote.exe", "msaccess.exe",
    "acrord32.exe", "acrobat.exe",
    "chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe",
    "java.exe", "javaw.exe", "javaws.exe"
  )
| where child_process in (
    "cmd.exe", "powershell.exe", "pwsh.exe",
    "wscript.exe", "cscript.exe", "mshta.exe",
    "rundll32.exe", "regsvr32.exe", "certutil.exe",
    "bitsadmin.exe", "msiexec.exe", "wmic.exe",
    "msbuild.exe", "installutil.exe", "regasm.exe",
    "regsvcs.exe", "schtasks.exe"
  )
| eval cmdline = toLowerCase(CommandLine)
| eval NetworkIndicator = if (
    cmdline matches ".*?(http://|https://|ftp://|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget ).*",
    1, 0
  )
| eval CredentialAccess = if (
    cmdline matches ".*?(mimikatz|lsass|sekurlsa|ntds|procdump|comsvcs|minidump|vaultcmd).*",
    1, 0
  )
| eval PersistenceIndicator = if (
    cmdline matches ".*?(schtasks|reg add|currentversion.run|startup|userinit|sc create|sc config).*",
    1, 0
  )
| eval LateralMovement = if (
    cmdline matches ".*?(psexec|wmiexec|winrm|net use|enter-pssession|invoke-command|ssh ).*",
    1, 0
  )
| eval ExploitScore = NetworkIndicator + CredentialAccess + PersistenceIndicator + LateralMovement + 1
| fields _time, Computer, User, parent_process, ParentCommandLine, child_process, CommandLine,
    NetworkIndicator, CredentialAccess, PersistenceIndicator, LateralMovement, ExploitScore
| sort by ExploitScore desc, _time desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log Source (Sysmon channel) Sumo Logic Cloud Syslog (Sysmon forwarded via NXLog or Winlogbeat)

Required Tables

_sourceCategory matching *windows*sysmon* or *winevent*sysmon*

False Positives

Legitimate Office automation macros used in finance or HR departments for Excel-to-PowerShell report generation, SharePoint uploads, or mail-merge workflows
Acrobat Reader spawning cmd.exe when invoking system-registered print handlers or opening linked file attachments from PDF documents
Chrome or Firefox launching wscript.exe or cscript.exe as part of enterprise intranet web application legacy ActiveX fallback shims or Kerberos SSO helper scripts
Java-based middleware platforms (WebLogic, JBoss, Tomcat catalina.sh equivalents on Windows) that use javaw.exe to spawn cmd.exe or PowerShell for service lifecycle management
Penetration testing or red team exercises on endpoints where Office-based macro payload delivery is used for authorized attack simulation

Google Chronicle / SecOps

yaral

rule exploit_acquisition_deployed_t1588_005 {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects deployment of acquired exploits via suspicious child processes spawned from exploitable applications (T1588.005)"
    mitre_attack_tactic   = "Resource Development"
    mitre_attack_technique = "T1588.005"
    severity        = "HIGH"
    confidence      = "HIGH"
    reference       = "https://attack.mitre.org/techniques/T1588/005/"
    false_positives = "Office macros, PDF helpers, Java build tools, browser SSO helpers"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    /* Exploitable application as parent */
    $e.principal.process.file.full_path =
      /(?i)(\\|\/)((winword|excel|powerpnt|outlook|mspub|onenote|msaccess|acrord32|acrobat|chrome|firefox|msedge|iexplore|javaws?))\.exe$/

    /* Suspicious LOLBin as child */
    $e.target.process.file.full_path =
      /(?i)(\\|\/)((cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|msbuild|installutil|regasm|regsvcs|schtasks))\.exe$/

    /* Require at least one post-exploitation command-line indicator */
    $e.target.process.command_line =
      /(?i)(http:\/\/|https:\/\/|ftp:\/\/|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget |mimikatz|sekurlsa|lsass|ntds|procdump|comsvcs|minidump|vaultcmd|schtasks|reg add|currentversion.run|sc create|sc config|userinit|psexec|wmiexec|winrm|net use|enter-pssession|invoke-command|ssh )/

    $host = $e.principal.hostname

  match:
    $host over 5m

  outcome:
    $risk_score = max(
      if($e.target.process.command_line = /(?i)(http:\/\/|https:\/\/|ftp:\/\/|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget )/, 25, 0) +
      if($e.target.process.command_line = /(?i)(mimikatz|sekurlsa|lsass|ntds|procdump|comsvcs|minidump|vaultcmd)/, 25, 0) +
      if($e.target.process.command_line = /(?i)(schtasks|reg add|currentversion.run|sc create|sc config|userinit)/, 25, 0) +
      if($e.target.process.command_line = /(?i)(psexec|wmiexec|winrm|net use|enter-pssession|invoke-command|ssh )/, 25, 0) +
      10
    )
    $parent_process = array_distinct($e.principal.process.file.full_path)
    $child_process  = array_distinct($e.target.process.file.full_path)
    $child_cmdline  = array_distinct($e.target.process.command_line)
    $user           = array_distinct($e.principal.user.userid)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Chronicle Forwarder with Windows Sysmon or Microsoft Defender for Endpoint telemetry Chronicle BYOD (Bring Your Own Data) with normalized process events

Required Tables

UDM event type: PROCESS_LAUNCH principal.process.file.full_path target.process.file.full_path target.process.command_line principal.hostname principal.user.userid

False Positives

Managed endpoint automation: Office applications executing IT-authored PowerShell scripts for software inventory, patch compliance checks, or enterprise configuration baseline enforcement
Adobe Acrobat Pro workflows that legitimately invoke certutil.exe for certificate store operations or msiexec.exe during third-party Acrobat plugin upgrades
Enterprise browser automation tools using Chrome or Edge as the driver process that spawn PowerShell or cmd.exe to interact with system APIs or validate test environments
Oracle or OpenJDK Java applications on developer workstations where javaw.exe spawns cmd.exe or PowerShell as part of integrated development environment build-and-run lifecycle tasks

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2

/* Filter: exploitable application as parent */
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|mspub|onenote|msaccess|acrord32|acrobat|chrome|firefox|msedge|iexplore|javaws?)\.exe$/

/* Filter: suspicious LOLBin as child */
| ImageFileName = /(?i)(\\)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|msbuild|installutil|regasm|regsvcs|schtasks)\.exe$/

/* Compute post-exploitation indicator scores */
| case {
    CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget )/ |
      NetworkIndicator := 1 ;
    * | NetworkIndicator := 0
  }
| case {
    CommandLine = /(?i)(mimikatz|lsass|sekurlsa|ntds|procdump|comsvcs|minidump|vaultcmd)/ |
      CredentialAccess := 1 ;
    * | CredentialAccess := 0
  }
| case {
    CommandLine = /(?i)(schtasks|reg add|currentversion\.run|startup|userinit|sc create|sc config)/ |
      PersistenceIndicator := 1 ;
    * | PersistenceIndicator := 0
  }
| case {
    CommandLine = /(?i)(psexec|wmiexec|winrm|net use|enter-pssession|invoke-command|ssh )/ |
      LateralMovement := 1 ;
    * | LateralMovement := 0
  }

/* Compute composite exploit score */
| ExploitScore := NetworkIndicator + CredentialAccess + PersistenceIndicator + LateralMovement + 1

/* Extract child process name for display */
| regex(field=ImageFileName, regex="(?i)\\\\(?P<ChildProcessName>[^\\\\]+\.exe)$")

/* Output and sort */
| table(
    [ComputerName, UserName, ParentBaseFileName, ParentCommandLine,
     ChildProcessName, CommandLine,
     NetworkIndicator, CredentialAccess, PersistenceIndicator, LateralMovement, ExploitScore],
    limit = 1000
  )
| sort(ExploitScore, order = desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) CrowdStrike Falcon LogScale (Humio-backed SIEM)

Required Tables

#event_simpleName = ProcessRollup2 Fields: ParentBaseFileName, ImageFileName, CommandLine, ParentCommandLine, ComputerName, UserName

False Positives

Authorized red team or penetration testing engagements on enrolled Falcon-monitored endpoints where Office-macro or browser exploit simulation payloads are used with explicit change control approval
Software development workflows where Microsoft Word or Excel are used as OLE automation servers by build scripts that subsequently invoke PowerShell or cmd.exe for post-processing steps (e.g., document conversion pipelines)
Enterprise Java middleware (e.g., WebSphere, JBoss) running on Windows servers where javaw.exe spawns cmd.exe or PowerShell to execute service health checks, log rotation, or JVM tuning scripts via scheduled maintenance tasks
Browser-based enterprise helpdesk or ITSM portals that launch cmd.exe or wmic.exe as registered URI-scheme handlers to collect system diagnostics for support ticket attachment on user request

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1588.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001Malware T1588.002Tool T1588.003Code Signing Certificates T1588.004Digital Certificates T1588.006Vulnerabilities T1588.007Artificial Intelligence

Exploits

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections