title: Obtain Capabilities (T1588)
id: df00tech-t1588
status: experimental
description: "This detection identifies adversary capability acquisition activity manifesting within the victim environment — specifically, the arrival, staging, and first execution of known offensive tools, exploit frameworks, and dual-use security utilities. While T1588 is a PRE-ATT&CK technique occurring outside the victim network, its downstream effects are observable: offensive tools landing in atypical directories (Temp, Downloads, user profile paths), processes executing with names or command-line arguments matching known offensive frameworks (Cobalt Strike, Mimikatz, Rubeus, Sliver, Havoc, Impacket), downloads via living-off-the-land binaries (certutil, bitsadmin, curl), and network connections to known exploit distribution infrastructure. The detection correlates process creation events, file download artifacts, and network telemetry to surface high-risk capability introductions across Windows and Linux endpoints."
references:
  - https://attack.mitre.org/techniques/T1588/
  - https://df00tech.com/detections/T1588
author: df00tech
date: 2026/03/19
tags:
  - attack.t1588
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Security researchers and red team operators running authorized assessments — certutil and PowerShell downloads are common in legitimate engagements
  - IT administrators staging software packages in Temp directories during patch cycles or manual deployments
  - "Dual-use tools like ADExplorer, ProcDump, or BloodHound used by authorized IT/security teams for inventory and health assessments"
  - Developer workstations cloning security tool repositories from GitHub for research or tooling review
  - Penetration testing firms with approved assessments whose infrastructure overlaps with known offensive tool signatures
level: high