title: Exploits (T1588.005)
id: df00tech-t1588-005
status: experimental
description: "Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find, modify, or purchase exploits from online sources, exploit vendors, criminal marketplaces (including exploit kits), or from other threat actors. Adversaries such as Ember Bear have obtained exploitation scripts against publicly-disclosed vulnerabilities from public repositories, while Kimsuky has obtained exploit code for various CVEs. Acquired exploits may be used across multiple phases of the adversary lifecycle including initial access, privilege escalation, defense evasion, credential access, and lateral movement. Because the acquisition of exploits occurs entirely on adversary-controlled infrastructure, direct detection is not possible from victim telemetry — detection must focus on observable indicators when those acquired exploits are deployed."
references:
  - https://attack.mitre.org/techniques/T1588/005/
  - https://df00tech.com/detections/T1588.005
author: df00tech
date: 2026/04/13
tags:
  - attack.t1588.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Office macros used in legitimate business automation (e.g., Excel VBA launching cmd.exe for data pipeline exports, report generation, or ERP integrations)"
  - "Browser helper objects, enterprise browser extensions, or Single Sign-On agents that legitimately spawn child processes for print, download, clipboard, or authentication workflows"
  - "PDF processing integrations where Acrobat invokes system utilities for digital signature workflows, document conversion pipelines, or secure print operations"
  - "Java-based enterprise applications (ERP, HR, financial systems) that legitimately spawn system commands for file operations, external tool invocation, or OS-level integration tasks"
level: high