Detect Obtain Capabilities in Microsoft Sentinel
This detection identifies adversary capability acquisition activity manifesting within the victim environment — specifically, the arrival, staging, and first execution of known offensive tools, exploit frameworks, and dual-use security utilities. While T1588 is a PRE-ATT&CK technique occurring outside the victim network, its downstream effects are observable: offensive tools landing in atypical directories (Temp, Downloads, user profile paths), processes executing with names or command-line arguments matching known offensive frameworks (Cobalt Strike, Mimikatz, Rubeus, Sliver, Havoc, Impacket), downloads via living-off-the-land binaries (certutil, bitsadmin, curl), and network connections to known exploit distribution infrastructure. The detection correlates process creation events, file download artifacts, and network telemetry to surface high-risk capability introductions across Windows and Linux endpoints.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1588/
KQL Detection Query
let LookbackDays = 7d;
let OffensiveToolKeywords = dynamic([
"mimikatz", "cobalt", "cobaltstrike", "cs_beacon", "beacon",
"meterpreter", "metasploit", "empire", "covenant", "sliver",
"havoc", "brute_ratel", "nighthawk", "noctiluca", "mythic",
"lazagne", "dumpert", "nanodump", "procdump64",
"rubeus", "kerberoast", "asreproast", "certify", "certipy",
"sharphound", "bloodhound", "adrecon", "adexplorer",
"responder", "inveigh", "powerupsql", "mssqlpwner",
"chisel", "ligolo", "frp", "plink", "ngrok"
]);
let SuspiciousStagingPaths = dynamic([
"\\Temp\\", "\\tmp\\", "\\Downloads\\",
"\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\",
"\\ProgramData\\", "\\Users\\Public\\"
]);
let LOLBinDownloaders = dynamic([
"certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe",
"powershell.exe", "pwsh.exe", "mshta.exe", "wscript.exe",
"cscript.exe", "regsvr32.exe", "rundll32.exe"
]);
// Branch 1: Known offensive tool name match in process name or command line
let ToolNameHits = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FileName has_any (OffensiveToolKeywords)
or ProcessCommandLine has_any (OffensiveToolKeywords)
| extend DetectionBranch = "OffensiveToolNameMatch"
| extend RiskScore = case(
FileName has_any ("mimikatz", "meterpreter", "cobalt", "beacon"), 100,
FileName has_any ("rubeus", "certify", "certipy", "bloodhound", "sharphound"), 90,
FileName has_any ("responder", "inveigh", "lazagne", "dumpert"), 85,
FileName has_any ("chisel", "ligolo", "havoc", "sliver", "empire"), 80,
ProcessCommandLine has_any ("mimikatz", "sekurlsa", "kerberos::ptt", "lsadump"), 100,
ProcessCommandLine has_any ("rubeus", "kerberoast", "/nowrap", "asreproast"), 90,
70
);
// Branch 2: LOLBin downloaders staging to suspicious paths
let LOLBinDownloads = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FileName in~ (LOLBinDownloaders)
| where ProcessCommandLine has_any (SuspiciousStagingPaths)
and (ProcessCommandLine has "http" or ProcessCommandLine has "ftp" or ProcessCommandLine has "urlcache" or ProcessCommandLine has "-split" or ProcessCommandLine has "DownloadFile" or ProcessCommandLine has "DownloadString" or ProcessCommandLine has "WebClient")
| extend DetectionBranch = "LOLBinCapabilityDownload"
| extend RiskScore = case(
ProcessCommandLine has "certutil" and ProcessCommandLine has "urlcache", 85,
ProcessCommandLine has "bitsadmin" and ProcessCommandLine has "/transfer", 85,
ProcessCommandLine has_any ("DownloadFile", "DownloadString", "IEX", "Invoke-Expression"), 90,
75
);
// Branch 3: Execution from staging paths by non-standard parent
let StagingPathExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackDays)
| where FolderPath has_any (SuspiciousStagingPaths)
| where InitiatingProcessFileName !in~ ("explorer.exe", "msiexec.exe", "setup.exe", "install.exe", "update.exe", "teams.exe", "chrome.exe", "msedge.exe", "firefox.exe")
| where FileName !endswith ".tmp"
| extend DetectionBranch = "StagingPathExecution"
| extend RiskScore = 65;
union ToolNameHits, LOLBinDownloads, StagingPathExecution
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionBranch, RiskScore
| sort by RiskScore desc, Timestamp descDetects potential capability acquisition activity across three branches: (1) execution of processes matching known offensive tool names or command-line patterns, (2) living-off-the-land binaries (certutil, bitsadmin, PowerShell) performing downloads to suspicious staging directories, and (3) binary execution from non-standard paths like Temp and Downloads when launched by non-browser parent processes. Each branch is scored by risk level to prioritize analyst review.
Data Sources
Required Tables
False Positives & Tuning
- Security researchers and red team operators running authorized assessments — certutil and PowerShell downloads are common in legitimate engagements
- IT administrators staging software packages in Temp directories during patch cycles or manual deployments
- Dual-use tools like ADExplorer, ProcDump, or BloodHound used by authorized IT/security teams for inventory and health assessments
- Developer workstations cloning security tool repositories from GitHub for research or tooling review
- Penetration testing firms with approved assessments whose infrastructure overlaps with known offensive tool signatures
Other platforms for T1588
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1LOLBin Capability Download via CertUtil
Expected signal: Sysmon EventCode=1 with Image=certutil.exe, CommandLine containing '-urlcache' and '-split'; Sysmon EventCode=11 (FileCreate) for the downloaded file in %TEMP%; possible DNS query in EventCode=22 for the target hostname
- Test 2PowerShell Download Cradle to Staging Path
Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'DownloadFile' and 'WebClient'; Sysmon EventCode=3 (NetworkConnect) to target IP; Sysmon EventCode=11 (FileCreate) in %TEMP%
- Test 3Offensive Tool Naming Pattern Execution from Temp
Expected signal: Sysmon EventCode=1 with Image path containing %TEMP%\mimikatz_test.exe; parent process is cmd.exe; CommandLine includes /all argument; Sysmon EventCode=11 for file copy to staging path
- Test 4BITS Transfer Capability Staging
Expected signal: Sysmon EventCode=1 with Image=bitsadmin.exe and CommandLine containing '/transfer' and target URL; Sysmon EventCode=11 for file creation in %TEMP%; Windows Event 16403 in Microsoft-Windows-Bits-Client/Operational log recording the completed transfer job
References (6)
- https://attack.mitre.org/techniques/T1588/
- https://www.citizenlab.ca/2021/07/nso-group-pegasus-spyware-2021/
- https://krebsonsecurity.com/2011/09/comodo-hacker-i-hacked-diginotar-too/
- https://www.recordedfuture.com/blog/nation-state-intelligence-buying-commercial-malware
- https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
- https://github.com/redcanaryco/atomic-red-team/tree/master/atomics/T1588
Unlock Pro Content
Get the full detection package for T1588 including response playbook, investigation guide, and atomic red team tests.