title: Develop Capabilities (T1587) id: df00tech-t1587 status: experimental description: "This detection identifies indicators that adversaries have deployed custom-developed capabilities within the target environment. Because T1587 (Develop Capabilities) occurs outside the victim network during the adversary lifecycle, direct detection is impossible; instead, this rule focuses on second-order indicators: unsigned or self-signed executables executing from non-standard paths, low-prevalence binaries making network connections, and novel tooling patterns associated with bespoke malware frameworks. Groups such as Kimsuky, Moonstone Sleet, and Contagious Interview are known to develop custom tools—including malicious NPM packages, spearphishing toolkits, and custom implants—that exhibit these characteristics upon deployment. The detection correlates signature anomalies, environmental prevalence, and behavioral signals to surface likely custom-developed tools used in targeted intrusions." references: - https://attack.mitre.org/techniques/T1587/ - https://df00tech.com/detections/T1587 author: df00tech date: 2026/04/13 tags: - attack.t1587 # NOTE: logsource is auto-derived and may need adjustment for your environment logsource: category: process_creation product: windows detection: # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech. selection: EventID: '*' condition: selection falsepositives: - Internal development teams executing locally compiled utilities or test binaries that have not yet been signed - "Open-source or portable applications distributed without code signing (e.g., command-line utilities, Python scripts compiled with PyInstaller)" - "Legitimate penetration testing tools (Cobalt Strike, Metasploit, custom scripts) used by authorized red team engagements" - Software distributed via internal package managers or deployment tools that bypasses standard code signing workflows - Vendor-supplied diagnostic utilities that are unsigned by design level: high