Detect Exploits in CrowdStrike LogScale
Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find, modify, or purchase exploits from online sources, exploit vendors, criminal marketplaces (including exploit kits), or from other threat actors. Adversaries such as Ember Bear have obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories, while Kimsuky has obtained exploit code for various CVEs. Acquired exploits may be used across multiple phases of the adversary lifecycle including initial access, privilege escalation, defense evasion, credential access, and lateral movement. Because the acquisition of exploits occurs entirely on adversary-controlled infrastructure, direct detection is not possible from victim telemetry — detection must focus on observable indicators when those acquired exploits are deployed.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.005 Exploits
- Canonical reference
- https://attack.mitre.org/techniques/T1588/005/
LogScale Detection Query
#event_simpleName = ProcessRollup2
/* Filter: exploitable application as parent */
| ParentBaseFileName = /(?i)^(winword|excel|powerpnt|outlook|mspub|onenote|msaccess|acrord32|acrobat|chrome|firefox|msedge|iexplore|javaws?)\.exe$/
/* Filter: suspicious LOLBin as child */
| ImageFileName = /(?i)(\\)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|bitsadmin|msiexec|wmic|msbuild|installutil|regasm|regsvcs|schtasks)\.exe$/
/* Compute post-exploitation indicator scores */
| case {
CommandLine = /(?i)(http:\/\/|https:\/\/|ftp:\/\/|invoke-webrequest|net\.webclient|downloadstring|downloadfile|start-bitstransfer|curl |wget )/ |
NetworkIndicator := 1 ;
* | NetworkIndicator := 0
}
| case {
CommandLine = /(?i)(mimikatz|lsass|sekurlsa|ntds|procdump|comsvcs|minidump|vaultcmd)/ |
CredentialAccess := 1 ;
* | CredentialAccess := 0
}
| case {
CommandLine = /(?i)(schtasks|reg add|currentversion\.run|startup|userinit|sc create|sc config)/ |
PersistenceIndicator := 1 ;
* | PersistenceIndicator := 0
}
| case {
CommandLine = /(?i)(psexec|wmiexec|winrm|net use|enter-pssession|invoke-command|ssh )/ |
LateralMovement := 1 ;
* | LateralMovement := 0
}
/* Compute composite exploit score */
| ExploitScore := NetworkIndicator + CredentialAccess + PersistenceIndicator + LateralMovement + 1
/* Extract child process name for display */
| regex(field=ImageFileName, regex="(?i)\\\\(?P<ChildProcessName>[^\\\\]+\.exe)$")
/* Output and sort */
| table(
[ComputerName, UserName, ParentBaseFileName, ParentCommandLine,
ChildProcessName, CommandLine,
NetworkIndicator, CredentialAccess, PersistenceIndicator, LateralMovement, ExploitScore],
limit = 1000
)
| sort(ExploitScore, order = desc)CrowdStrike Falcon LogScale (CQL) detection for T1588.005 exploit deployment using ProcessRollup2 sensor events. Matches Falcon-telemetered process creation events where a known exploitable application (Office suite, PDF readers, browsers, Java runtimes) is the parent of a suspicious LOLBin child process. Four case expressions evaluate the child process CommandLine against post-exploitation indicator patterns — network callbacks, credential access tools, persistence mechanisms, and lateral movement utilities — accumulating into a composite ExploitScore. Score range: 1 (bare parent-child match) to 5 (all four post-exploitation categories present).
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing engagements on enrolled Falcon-monitored endpoints where Office-macro or browser exploit simulation payloads are used with explicit change control approval
- Software development workflows where Microsoft Word or Excel are used as OLE automation servers by build scripts that subsequently invoke PowerShell or cmd.exe for post-processing steps (e.g., document conversion pipelines)
- Enterprise Java middleware (e.g., WebSphere, JBoss) running on Windows servers where javaw.exe spawns cmd.exe or PowerShell to execute service health checks, log rotation, or JVM tuning scripts via scheduled maintenance tasks
- Browser-based enterprise helpdesk or ITSM portals that launch cmd.exe or wmic.exe as registered URI-scheme handlers to collect system diagnostics for support ticket attachment on user request
Other platforms for T1588.005
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Document Exploit Process Chain (cmd Reconnaissance)
Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe. CommandLine contains 'whoami', 'hostname', 'ipconfig', 'net user'. Security Event ID 4688 (with command line auditing enabled) records the same. When run from a Word macro, InitiatingProcessFileName=winword.exe triggers the detection's parent-child matching logic.
- Test 2Simulate Browser Exploit Network Callback (Stage-2 Download Cradle)
Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Net.WebClient', 'DownloadString', and the target URL. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:4444 (TEST-NET-1 per RFC 5737 — safe non-routable address that generates telemetry without reaching any real host). PowerShell ScriptBlock Log Event ID 4104 captures the full script content.
- Test 3VBScript-Based Exploit Payload Simulation
Expected signal: Sysmon Event ID 1 (x2): First for powershell.exe creating the VBS file, second for wscript.exe executing it. The char()-based obfuscation in the VBS content mimics obfuscation patterns used in real exploit-delivered payloads. Sysmon Event ID 11: File Create event for the VBS file dropped to TEMP. PowerShell ScriptBlock Log Event ID 4104 for the PowerShell wrapper.
- Test 4Exploit Guard ASR Rule Configuration Audit
Expected signal: PowerShell ScriptBlock Log Event ID 4104 for the MpPreference query. Informational output to file showing which ASR rules are active. When ASR rules are in block mode and a real Office application attempts to spawn a child process (e.g., via a macro), Windows Defender Operational log generates Event ID 1121 (Blocked) or Event ID 1122 (Audit) with the rule GUID and process details.
- Test 5Simulate Post-Exploit Process Access (Sysmon Event ID 10)
Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x0410 (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ). Sysmon Event ID 1: powershell.exe process create. The 0x0410 access mask is characteristic of credential dumping tools and shellcode injection staging — many SIEM rules alert on this mask from non-system processes targeting sensitive processes.
References (10)
- https://attack.mitre.org/techniques/T1588/005/
- https://www.exploit-db.com/
- https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
- https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
- https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage
- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1203/T1203.md
- https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
Unlock Pro Content
Get the full detection package for T1588.005 including response playbook, investigation guide, and atomic red team tests.