title: Tool (T1588.002)
id: df00tech-t1588-002
status: experimental
description: "Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary but was not originally intended for those purposes (e.g., PsExec, Mimikatz, Cobalt Strike). Adversaries may obtain tools to support their operations — including post-compromise execution, lateral movement, credential access, and discovery. Detection of this technique pivots from observing tool acquisition (which occurs on adversary infrastructure, outside the victim environment) to detecting the PRESENCE and EXECUTION of known offensive tools within the environment: dual-use administration utilities, credential access tools, post-exploitation frameworks, network scanners, and Active Directory reconnaissance tools. Real-world examples include DarkVishnya using Impacket and PsExec, Turla customizing Mimikatz, Magic Hound deploying Havij and sqlmap, Kimsuky using Nirsoft WebBrowserPassView, and Storm-1811 deploying RMM software and commodity malware."
references:
  - https://attack.mitre.org/techniques/T1588/002/
  - https://df00tech.com/detections/T1588.002
author: df00tech
date: 2026/03/13
tags:
  - attack.t1588.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Authorized red team or penetration test engagements using Mimikatz, Rubeus, BloodHound, or PsExec with prior change ticket — coordinate with security team on expected activity windows"
  - "IT administrators using PsExec, ADExplorer, or RVTools for legitimate system administration, remote execution, or AD inventory tasks — these are common dual-use tools in enterprise environments"
  - "Security operations tooling that bundles or executes named tools for endpoint assessment (CrowdStrike, Tenable, Rapid7 InsightAgent) — baseline process ancestry from known security product parent processes"
  - Developer or security researcher workstations running offensive security tools as part of authorized research — document and baseline these devices separately from production endpoints
  - "Vendor-supplied diagnostic scripts that include Sysinternals tools (PsExec, procdump) as part of support engagements — verify with vendor and correlate with active support tickets"
level: high