title: Malware (T1587.001)
id: df00tech-t1587-001
status: experimental
description: "Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Because malware development occurs primarily on adversary-controlled infrastructure before deployment, defenders cannot directly observe this activity. Detection must pivot to identifying proxies: compilation and build tool activity on non-developer endpoints, use of known obfuscation and packing tools, characteristics of freshly compiled executables executing immediately after creation, and behavioral patterns consistent with malware testing (sandbox evasion checks, anti-analysis routines). Threat actors such as Lazarus Group, APT29, Sandworm, Kimsuky, and Indrik Spider are known to develop bespoke malware to avoid commodity detection signatures."
references:
  - https://attack.mitre.org/techniques/T1587/001/
  - https://df00tech.com/detections/T1587.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1587.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legitimate software developers running csc.exe, msbuild.exe, or vbc.exe for application development on general-purpose endpoints without a dedicated developer workstation baseline"
  - "IT automation and configuration management tools (Ansible, Puppet, Chef) that compile scripts or produce binaries as part of deployment pipelines — especially MSBuild invocations from SCCM or build agents"
  - "Security researchers and red team members conducting authorized testing using Metasploit, packing tools, or obfuscators on approved lab machines"
  - .NET runtime just-in-time compilation artifacts that may superficially resemble csc.exe activity in certain monitoring configurations
  - UPX-packed legitimate software where the vendor ships pre-packed binaries and deployment scripts unpack them during installation
level: high