T1588 Splunk · SPL

Detect Obtain Capabilities in Splunk

This detection identifies adversary capability acquisition activity manifesting within the victim environment — specifically, the arrival, staging, and first execution of known offensive tools, exploit frameworks, and dual-use security utilities. While T1588 is a PRE-ATT&CK technique occurring outside the victim network, its downstream effects are observable: offensive tools landing in atypical directories (Temp, Downloads, user profile paths), processes executing with names or command-line arguments matching known offensive frameworks (Cobalt Strike, Mimikatz, Rubeus, Sliver, Havoc, Impacket), downloads via living-off-the-land binaries (certutil, bitsadmin, curl), and network connections to known exploit distribution infrastructure. The detection correlates process creation events, file download artifacts, and network telemetry to surface high-risk capability introductions across Windows and Linux endpoints.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Canonical reference
https://attack.mitre.org/techniques/T1588/

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval offensive_tool_match=if(
    match(lower(Image), "mimikatz|meterpreter|cobalt|beacon|rubeus|bloodhound|sharphound|certify|certipy|responder|inveigh|lazagne|sliver|havoc|empire|covenant|chisel|ligolo|procdump|dumpert|nanodump|nltest|adrecon")
    OR match(lower(CommandLine), "mimikatz|sekurlsa|kerberos::ptt|lsadump|kerberoast|asreproast|dcsync|invoke-mimikatz|invoke-kerberoast|get-adreplication|sharphound|bloodhound"),
    1, 0
)
| eval lolbin_download=if(
    match(lower(Image), "certutil\.exe|bitsadmin\.exe|curl\.exe|wget\.exe")
    AND match(lower(CommandLine), "http|ftp|urlcache|transfer|\.zip|\.exe|\.dll|\.ps1"),
    1, 0
)
| eval ps_download=if(
    match(lower(Image), "powershell\.exe|pwsh\.exe")
    AND match(lower(CommandLine), "downloadfile|downloadstring|webclient|invoke-webrequest|iwr|start-bitstransfer|iex|invoke-expression"),
    1, 0
)
| eval staging_path_exec=if(
    match(lower(Image), "\\temp\\|\\tmp\\|\\downloads\\|\\appdata\\local\\temp\\|\\users\\public\\|\\programdata\\")
    AND NOT match(lower(ParentImage), "explorer\.exe|msiexec\.exe|setup\.exe|chrome\.exe|msedge\.exe|firefox\.exe|teams\.exe"),
    1, 0
)
| where offensive_tool_match=1 OR lolbin_download=1 OR ps_download=1 OR staging_path_exec=1
| eval risk_score=case(
    offensive_tool_match=1 AND match(lower(CommandLine), "mimikatz|meterpreter|sekurlsa|lsadump"), 100,
    offensive_tool_match=1 AND match(lower(CommandLine), "rubeus|certify|bloodhound|kerberoast"), 90,
    offensive_tool_match=1, 80,
    ps_download=1 AND match(lower(CommandLine), "iex|invoke-expression|downloadstring"), 85,
    lolbin_download=1 AND match(lower(CommandLine), "certutil.*urlcache|bitsadmin.*transfer"), 80,
    ps_download=1, 70,
    lolbin_download=1, 70,
    staging_path_exec=1, 60,
    true(), 50
)
| eval detection_branch=case(
    offensive_tool_match=1, "OffensiveToolNameMatch",
    lolbin_download=1, "LOLBinCapabilityDownload",
    ps_download=1, "PowerShellDownload",
    staging_path_exec=1, "StagingPathExecution",
    true(), "Unknown"
)
| stats max(risk_score) as max_risk, count as event_count, values(Image) as processes, values(CommandLine) as commands, values(detection_branch) as branches, dc(Computer) as host_count by User, Computer
| where max_risk >= 60
| sort -max_risk
high severity medium confidence

Correlates Sysmon process creation events (EventCode=1) to detect four patterns of capability acquisition: named offensive tool matches in image path or command line, LOLBin-based capability downloads (certutil, bitsadmin), PowerShell download cradle usage, and execution from staging directories by non-standard parent processes. Risk scoring prioritizes known malware/framework names at the top.

Data Sources

Sysmon

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Security teams running authorized red team or vulnerability assessment exercises with known tools
  • PowerShell download cradles used by legitimate software installers and update mechanisms (e.g., Chocolatey, winget scripts, IT automation)
  • Certutil used by PKI administrators for certificate operations and legitimate software packaging workflows
  • Security researchers examining offensive tools in sandboxed lab environments
  • Backup and monitoring agents that temporarily stage executables in AppData or ProgramData paths during updates
Download portable Sigma rule (.yml)

Other platforms for T1588

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1LOLBin Capability Download via CertUtil

    Expected signal: Sysmon EventCode=1 with Image=certutil.exe, CommandLine containing '-urlcache' and '-split'; Sysmon EventCode=11 (FileCreate) for the downloaded file in %TEMP%; possible DNS query in EventCode=22 for the target hostname

  2. Test 2PowerShell Download Cradle to Staging Path

    Expected signal: Sysmon EventCode=1 with Image=powershell.exe and CommandLine containing 'DownloadFile' and 'WebClient'; Sysmon EventCode=3 (NetworkConnect) to target IP; Sysmon EventCode=11 (FileCreate) in %TEMP%

  3. Test 3Offensive Tool Naming Pattern Execution from Temp

    Expected signal: Sysmon EventCode=1 with Image path containing %TEMP%\mimikatz_test.exe; parent process is cmd.exe; CommandLine includes /all argument; Sysmon EventCode=11 for file copy to staging path

  4. Test 4BITS Transfer Capability Staging

    Expected signal: Sysmon EventCode=1 with Image=bitsadmin.exe and CommandLine containing '/transfer' and target URL; Sysmon EventCode=11 for file creation in %TEMP%; Windows Event 16403 in Microsoft-Windows-Bits-Client/Operational log recording the completed transfer job

Last updated: 2026-03-19 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1588 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (7)

Related Techniques

T1587Develop CapabilitiesT1583Acquire InfrastructureT1588.001MalwareT1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.006VulnerabilitiesT1588.007Artificial IntelligenceT1105Ingress Tool TransferT1059Command and Scripting InterpreterT1140Deobfuscate/Decode Files or Information

Same Tactic: Resource Development

Popular Detections