T1588.005 Google Chronicle · YARA-L

Detect Exploits in Google Chronicle

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find, modify, or purchase exploits from online sources, exploit vendors, criminal marketplaces (including exploit kits), or from other threat actors. Adversaries such as Ember Bear have obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories, while Kimsuky has obtained exploit code for various CVEs. Acquired exploits may be used across multiple phases of the adversary lifecycle including initial access, privilege escalation, defense evasion, credential access, and lateral movement. Because the acquisition of exploits occurs entirely on adversary-controlled infrastructure, direct detection is not possible from victim telemetry — detection must focus on observable indicators when those acquired exploits are deployed.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.005 Exploits
Canonical reference
https://attack.mitre.org/techniques/T1588/005/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule exploit_acquisition_deployed_t1588_005 {
  meta:
    author          = "Argus Detection Engineering"
    description     = "Detects deployment of acquired exploits via suspicious child processes spawned from exploitable applications (T1588.005)"
    mitre_attack_tactic   = "Resource Development"
    mitre_attack_technique = "T1588.005"
    severity        = "HIGH"
    confidence      = "HIGH"
    reference       = "https://attack.mitre.org/techniques/T1588/005/"
    false_positives = "Office macros, PDF helpers, Java build tools, browser SSO helpers"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"

    /* Exploitable application as parent */
    $e.principal.process.file.full_path =
      /(?i)(\\|\/)((winword|excel|powerpnt|outlook|mspub|onenote|msaccess|acrord32|acrobat|chrome|firefox|msedge|iexplore|javaws?))\.exe$/

    /* Suspicious LOLBin as child */
    $e.target.process.file.full_path =
      /(?i)(\\|\/)((cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|msbuild|installutil|regasm|regsvcs|schtasks))\.exe$/

    /* Require at least one post-exploitation command-line indicator */
    $e.target.process.command_line =
      /(?i)(http:\/\/|https:\/\/|ftp:\/\/|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget |mimikatz|sekurlsa|lsass|ntds|procdump|comsvcs|minidump|vaultcmd|schtasks|reg add|currentversion.run|sc create|sc config|userinit|psexec|wmiexec|winrm|net use|enter-pssession|invoke-command|ssh )/

    $host = $e.principal.hostname

  match:
    $host over 5m

  outcome:
    $risk_score = max(
      if($e.target.process.command_line = /(?i)(http:\/\/|https:\/\/|ftp:\/\/|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget )/, 25, 0) +
      if($e.target.process.command_line = /(?i)(mimikatz|sekurlsa|lsass|ntds|procdump|comsvcs|minidump|vaultcmd)/, 25, 0) +
      if($e.target.process.command_line = /(?i)(schtasks|reg add|currentversion.run|sc create|sc config|userinit)/, 25, 0) +
      if($e.target.process.command_line = /(?i)(psexec|wmiexec|winrm|net use|enter-pssession|invoke-command|ssh )/, 25, 0) +
      10
    )
    $parent_process = array_distinct($e.principal.process.file.full_path)
    $child_process  = array_distinct($e.target.process.file.full_path)
    $child_cmdline  = array_distinct($e.target.process.command_line)
    $user           = array_distinct($e.principal.user.userid)

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1588.005 exploit deployment via UDM PROCESS_LAUNCH events. Matches exploitable application parents (Office, PDF readers, browsers, Java) spawning suspicious LOLBin children with post-exploitation command-line indicators. The outcome block computes a risk_score (10–110) reflecting cumulative post-exploitation intent across four categories: network callback (25), credential access (25), persistence (25), and lateral movement (25), plus a base score of 10 for the parent-child relationship alone. Grouped over a 5-minute window per host to correlate rapid follow-on activity.

Data Sources

Google Chronicle UDM (Unified Data Model)Chronicle Forwarder with Windows Sysmon or Microsoft Defender for Endpoint telemetryChronicle BYOD (Bring Your Own Data) with normalized process events

Required Tables

UDM event type: PROCESS_LAUNCHprincipal.process.file.full_pathtarget.process.file.full_pathtarget.process.command_lineprincipal.hostnameprincipal.user.userid

False Positives & Tuning

  • Managed endpoint automation: Office applications executing IT-authored PowerShell scripts for software inventory, patch compliance checks, or enterprise configuration baseline enforcement
  • Adobe Acrobat Pro workflows that legitimately invoke certutil.exe for certificate store operations or msiexec.exe during third-party Acrobat plugin upgrades
  • Enterprise browser automation tools using Chrome or Edge as the driver process that spawn PowerShell or cmd.exe to interact with system APIs or validate test environments
  • Oracle or OpenJDK Java applications on developer workstations where javaw.exe spawns cmd.exe or PowerShell as part of integrated development environment build-and-run lifecycle tasks
Download portable Sigma rule (.yml)

Other platforms for T1588.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Document Exploit Process Chain (cmd Reconnaissance)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe. CommandLine contains 'whoami', 'hostname', 'ipconfig', 'net user'. Security Event ID 4688 (with command line auditing enabled) records the same. When run from a Word macro, InitiatingProcessFileName=winword.exe triggers the detection's parent-child matching logic.

  2. Test 2Simulate Browser Exploit Network Callback (Stage-2 Download Cradle)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Net.WebClient', 'DownloadString', and the target URL. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:4444 (TEST-NET-1 per RFC 5737 — safe non-routable address that generates telemetry without reaching any real host). PowerShell ScriptBlock Log Event ID 4104 captures the full script content.

  3. Test 3VBScript-Based Exploit Payload Simulation

    Expected signal: Sysmon Event ID 1 (x2): First for powershell.exe creating the VBS file, second for wscript.exe executing it. The char()-based obfuscation in the VBS content mimics obfuscation patterns used in real exploit-delivered payloads. Sysmon Event ID 11: File Create event for the VBS file dropped to TEMP. PowerShell ScriptBlock Log Event ID 4104 for the PowerShell wrapper.

  4. Test 4Exploit Guard ASR Rule Configuration Audit

    Expected signal: PowerShell ScriptBlock Log Event ID 4104 for the MpPreference query. Informational output to file showing which ASR rules are active. When ASR rules are in block mode and a real Office application attempts to spawn a child process (e.g., via a macro), Windows Defender Operational log generates Event ID 1121 (Blocked) or Event ID 1122 (Audit) with the rule GUID and process details.

  5. Test 5Simulate Post-Exploit Process Access (Sysmon Event ID 10)

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x0410 (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ). Sysmon Event ID 1: powershell.exe process create. The 0x0410 access mask is characteristic of credential dumping tools and shellcode injection staging — many SIEM rules alert on this mask from non-system processes targeting sensitive processes.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1588.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1587.004ExploitsT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1211Exploitation for Defense EvasionT1212Exploitation for Credential AccessT1210Exploitation of Remote ServicesT1566PhishingT1204.002Malicious File

Same Tactic: Resource Development

Popular Detections