Develop Capabilities T1587

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.

Events covered

4 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 15 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
CommandLine8contains 8, ends_with 1, in 1 -i -s cmd, -i -s powershell, -i -s pwsh, -p , -u
Image7ends_with 6, contains 3.exe, :\program files (x86)\, :\program files (x86)\microsoft office\, :\program files\, :\program files\common files\microsoft shared\clicktorun\
TargetFilename5contains 5, ends_with 3, starts_with 1.cab, .docb, .docm, .docx, .exe
OriginalFileName2eq 2certutil.exe, purplesharp.exe
Description1eq 1csexec
ImageLoaded1eq 1c:\windows\adfs\version.dll
ParentCommandLine1ends_with 1, starts_with 1.exe, C:\Windows\SysWOW64\, C:\Windows\System32\
process_name1eq 1certutil.exe

Top indicator values (158 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
CommandLinecontains
accepteula
38
CommandLinecontains
-i -s cmd
22
CommandLinecontains
-i -s powershell
22
CommandLinecontains
-i -s pwsh
22
CommandLinecontains
-s -i cmd
22
CommandLinecontains
-s -i powershell
22
CommandLinecontains
-s -i pwsh
22
CommandLinecontains
-s cmd
22
CommandLinecontains
-s powershell
22
CommandLinecontains
-s pwsh
22
CommandLinecontains
c:\users\
28
CommandLinecontains
paexec
22
CommandLinecontains
psexec
22
CommandLinecontains
-p
19
CommandLinecontains
-u
17
CommandLinecontains
\\\\
18
CommandLinecontains
%windir:~-1,1%
1
CommandLinecontains
%windir:~-3,1%%public:~-9,1%
1
CommandLinecontains
-addstore
12
CommandLinecontains
.txt
110
CommandLinecontains
/c
115
CommandLinecontains
/e:vbscript
1
CommandLinecontains
/f
17
CommandLinecontains
/tn "security script
1
CommandLinecontains
\\\\127.
1
CommandLinecontains
\\\\localhost
1
CommandLinecontains
\appdata\local\temp\
128
CommandLinecontains
\desktop\
113
Imageends_with
\winword.exe
227
TargetFilenamecontains
\appdata\local\temp\
213

Exclusions (80 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
CommandLinecontains
\\\\127.
1
CommandLinecontains
\\\\localhost
1
CommandLinecontains
accepteula
1
CommandLinecontains
paexec
1
CommandLinecontains
psexec
1
Imagecontains
:\program files (x86)\
1
Imagecontains
:\program files (x86)\microsoft office\
1
Imagecontains
:\program files\
1
Imagecontains
:\program files\common files\microsoft shared\clicktorun\
1
Imagecontains
:\program files\microsoft office\
1
Imagecontains
:\program files\windows defender\
1
Imagecontains
:\programdata\microsoft\windows defender\
1
Imagecontains
:\windows\microsoft.net\framework
1
Imagecontains
:\windows\microsoft.net\framework64\
1
Imagecontains
:\windows\microsoft.net\framework\
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 14 rules

Splunk 1 rule