T1588.006

Vulnerabilities

Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity.

Microsoft Sentinel / Defender

kusto

// T1588.006 — Vulnerability Research: Indirect Detection
// Detects internal endpoints accessing exploit databases, executing exploit toolchains,
// or creating CVE-named files — indicators of insider threat, compromised research
// workstations, or adversary staging activity within the environment.
let ExploitRepositories = dynamic([
    "exploit-db.com", "www.exploit-db.com",
    "packetstormsecurity.com", "0day.today",
    "sploitus.com", "vulners.com",
    "cxsecurity.com", "seebug.org",
    "bugs.chromium.org/p/project-zero"
]);
let ExploitToolPatterns = dynamic([
    "searchsploit", "msfconsole", "msfvenom",
    "nuclei -t cves", "nuclei --template cve",
    " poc.py", "exploit.py", "exploit.rb",
    "exploit.pl", "exploit.sh",
    "python3 cve-", "python cve-", "ruby cve-"
]);
let CVEFilePatterns = dynamic([
    "CVE-20", "cve-20", "poc.", "0day.", "exploit."
]);
// Branch 1: Internal hosts making HTTP/S connections to known exploit repositories
let ExploitSiteAccess = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (ExploitRepositories)
    or RemoteHostname has_any (ExploitRepositories)
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe")
| extend DetectionBranch = "ExploitSiteAccess"
| extend SignalDetail = strcat("Process=", InitiatingProcessFileName, " | URL=", RemoteUrl)
| project Timestamp, DeviceName, AccountName, DetectionBranch, SignalDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 2: Exploit tool execution (searchsploit, Metasploit, CVE PoC scripts)
let ExploitToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (ExploitToolPatterns)
    or (FileName in~ ("python.exe", "python3", "python3.exe", "ruby", "ruby.exe", "perl.exe", "perl")
        and ProcessCommandLine has_any (["poc.py", "exploit.py", "exploit.rb",
                                         "exploit.pl", "CVE-20", "cve-20"]))
| extend DetectionBranch = "ExploitToolExecution"
| extend SignalDetail = strcat("Command=", ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, DetectionBranch, SignalDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine;
// Branch 3: CVE-named or exploit-named file creation on disk
let ExploitFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (CVEFilePatterns)
    and (FileName endswith ".py" or FileName endswith ".rb" or FileName endswith ".sh"
         or FileName endswith ".exe" or FileName endswith ".ps1" or FileName endswith ".pl"
         or FileName endswith ".c" or FileName endswith ".cpp")
| extend DetectionBranch = "ExploitFileCreated"
| extend SignalDetail = strcat("File=", FolderPath, "\\", FileName,
                               " | Process=", InitiatingProcessFileName)
| project Timestamp, DeviceName, AccountName, DetectionBranch, SignalDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
// Union all branches
ExploitSiteAccess
| union ExploitToolExecution
| union ExploitFileCreation
| sort by Timestamp desc

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceNetworkEvents DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate penetration testers and red team members accessing Exploit-DB or running Metasploit during authorized engagements
Security operations center analysts and threat intelligence analysts browsing vulnerability databases as part of daily research duties
Software developers and QA engineers creating files named with CVE identifiers when building patching tools, scanners, or security regression test suites
Academic or training environments where students execute public CVE PoC scripts in sandboxed lab systems that share endpoint telemetry with the production SIEM
Automated vulnerability management scanners (Tenable, Rapid7 InsightVM, Qualys) whose agent processes may trigger on exploit-named file patterns

Splunk

spl

// T1588.006 — Vulnerability Research: Indirect Detection via Sysmon + Web Proxy
// Three detection branches: exploit site web access, exploit tool execution, CVE file creation
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
  (DestinationHostname="*exploit-db.com*" OR DestinationHostname="*packetstormsecurity.com*"
   OR DestinationHostname="*sploitus.com*" OR DestinationHostname="*0day.today*"
   OR DestinationHostname="*vulners.com*" OR DestinationHostname="*cxsecurity.com*"
   OR DestinationHostname="*seebug.org*")
  NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe")
| eval detection_branch="ExploitSiteAccess"
| eval signal_detail="Process=".Image." | Destination=".DestinationHostname.":".DestinationPort
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (CommandLine="*searchsploit*") OR (CommandLine="*msfconsole*") OR
    (CommandLine="*msfvenom*") OR (CommandLine="*nuclei*" AND (CommandLine="*cve*" OR CommandLine="*-t cves*"))
    OR
    (
      (Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\ruby.exe" OR Image="*\\perl.exe")
      AND (CommandLine="*poc.py*" OR CommandLine="*exploit.py*" OR CommandLine="*exploit.rb*"
           OR CommandLine="*exploit.pl*" OR CommandLine="*CVE-20*" OR CommandLine="*cve-20*")
    )
  )
| eval detection_branch="ExploitToolExecution"
| eval signal_detail="Command=".CommandLine
)
OR
(
  sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (
    (TargetFilename="*CVE-20*" OR TargetFilename="*cve-20*" OR TargetFilename="*\\poc.*"
     OR TargetFilename="*\\exploit.*" OR TargetFilename="*0day.*")
    AND (TargetFilename="*.py" OR TargetFilename="*.rb" OR TargetFilename="*.sh"
         OR TargetFilename="*.pl" OR TargetFilename="*.exe" OR TargetFilename="*.ps1"
         OR TargetFilename="*.c" OR TargetFilename="*.cpp")
  )
| eval detection_branch="ExploitFileCreated"
| eval signal_detail="File=".TargetFilename." | Process=".Image
)
| eval detection_branch=coalesce(detection_branch, "Unknown")
| eval signal_detail=coalesce(signal_detail, "")
| table _time, host, User, detection_branch, signal_detail, Image, CommandLine, ParentImage
| sort - _time

medium severity low confidence

Data Sources

Network Traffic: Network Connection Creation Process: Process Creation File: File Creation Sysmon Event ID 1, 3, 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Authorized penetration testers and red team operators running Metasploit, searchsploit, or Nuclei during sanctioned engagements
Security researchers and threat intel analysts browsing Exploit-DB or Vulners as part of their regular vulnerability tracking workflow
Developers building security tooling who create files named with CVE identifiers for test cases, patch validators, or vulnerability scanners
Automated vulnerability management agents downloading CVE-related content during scheduled scan cycles
CTF (Capture the Flag) participants working on competition challenges from corporate endpoints

Elastic Security (EQL)

eql

any where
  (
    /* Branch 1: Internal endpoint connecting to known exploit repositories */
    event.category == "network" and
    destination.domain like~ (
      "*exploit-db.com*", "*packetstormsecurity.com*", "*sploitus.com*",
      "*0day.today*", "*vulners.com*", "*cxsecurity.com*",
      "*seebug.org*", "*bugs.chromium.org*"
    ) and
    not process.name in~ ("svchost.exe", "lsass.exe", "services.exe")
  )
  or
  (
    /* Branch 2: Exploit toolchain execution — searchsploit, Metasploit, CVE PoC scripts */
    event.category == "process" and event.type == "start" and
    (
      process.command_line like~ "*searchsploit*" or
      process.command_line like~ "*msfconsole*" or
      process.command_line like~ "*msfvenom*" or
      (process.command_line like~ "*nuclei*" and process.command_line like~ "*cve*") or
      (
        process.name in~ ("python.exe", "python3", "python3.exe", "ruby", "ruby.exe", "perl", "perl.exe") and
        (
          process.command_line like~ "*poc.py*" or
          process.command_line like~ "*exploit.py*" or
          process.command_line like~ "*exploit.rb*" or
          process.command_line like~ "*exploit.pl*" or
          process.command_line like~ "*CVE-20*" or
          process.command_line like~ "*cve-20*"
        )
      )
    )
  )
  or
  (
    /* Branch 3: CVE-named or exploit-named script/binary created on disk */
    event.category == "file" and event.type == "creation" and
    (
      file.name like~ "CVE-20*" or
      file.name like~ "cve-20*" or
      file.name like~ "poc.*" or
      file.name like~ "0day.*" or
      file.name like~ "exploit.*"
    ) and
    file.extension in~ ("py", "rb", "sh", "exe", "ps1", "pl", "c", "cpp")
  )

high severity medium confidence

Data Sources

Elastic Endpoint Security agent (endpoint.events.*) Winlogbeat with Sysmon (winlogbeat-* index, Sysmon events 1, 3, 11) Filebeat Windows module with Sysmon pipeline Network proxy logs forwarded via Filebeat (for HTTP destination domain enrichment)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Authorized red team operators or penetration testers running Metasploit, searchsploit, or nuclei against in-scope targets — correlate with change management records and authorized testing windows before escalating.
Security researchers and threat intelligence analysts on dedicated research workstations browsing exploit-db.com or vulners.com for defensive purposes — consider allowlisting specific analyst machine hostnames after vetting.
Automated vulnerability scanners (Tenable, Qualys, Rapid7 Nexpose) spawning nuclei or similar tools as part of scheduled assessments — scanner host IPs should be allowlisted by asset tag or subnet.
Security awareness training platforms or CTF environments where students clone and run CVE PoC code as part of controlled exercises — lab network segments can be excluded by CIDR block.

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
    LOGSOURCENAME(logsourceid) AS log_source,
    sourceip,
    username,
    QIDNAME(qid) AS event_name,
    "EventID",
    "Image",
    "CommandLine",
    "DestinationHostname",
    "TargetFilename",
    CASE
        WHEN "EventID" = '3'
             AND ("DestinationHostname" ILIKE '%exploit-db.com%'
                  OR "DestinationHostname" ILIKE '%packetstormsecurity.com%'
                  OR "DestinationHostname" ILIKE '%sploitus.com%'
                  OR "DestinationHostname" ILIKE '%0day.today%'
                  OR "DestinationHostname" ILIKE '%vulners.com%'
                  OR "DestinationHostname" ILIKE '%cxsecurity.com%'
                  OR "DestinationHostname" ILIKE '%seebug.org%'
                  OR "DestinationHostname" ILIKE '%bugs.chromium.org%')
            THEN 'ExploitSiteAccess'
        WHEN "EventID" = '1'
             AND ("CommandLine" ILIKE '%searchsploit%'
                  OR "CommandLine" ILIKE '%msfconsole%'
                  OR "CommandLine" ILIKE '%msfvenom%'
                  OR ("CommandLine" ILIKE '%nuclei%' AND "CommandLine" ILIKE '%cve%')
                  OR ("Image" ILIKE '%\\python%.exe'
                      AND ("CommandLine" ILIKE '%poc.py%'
                           OR "CommandLine" ILIKE '%exploit.py%'
                           OR "CommandLine" ILIKE '%CVE-20%'
                           OR "CommandLine" ILIKE '%cve-20%'))
                  OR ("Image" ILIKE '%\\ruby%.exe'
                      AND ("CommandLine" ILIKE '%exploit.rb%'
                           OR "CommandLine" ILIKE '%CVE-20%'))
                  OR ("Image" ILIKE '%\\perl%.exe'
                      AND ("CommandLine" ILIKE '%exploit.pl%'
                           OR "CommandLine" ILIKE '%CVE-20%')))
            THEN 'ExploitToolExecution'
        WHEN "EventID" = '11'
             AND ("TargetFilename" ILIKE '%CVE-20%'
                  OR "TargetFilename" ILIKE '%cve-20%'
                  OR "TargetFilename" ILIKE '%\\poc.%'
                  OR "TargetFilename" ILIKE '%\\exploit.%'
                  OR "TargetFilename" ILIKE '%0day.%')
             AND ("TargetFilename" ILIKE '%.py'
                  OR "TargetFilename" ILIKE '%.rb'
                  OR "TargetFilename" ILIKE '%.sh'
                  OR "TargetFilename" ILIKE '%.ps1'
                  OR "TargetFilename" ILIKE '%.pl'
                  OR "TargetFilename" ILIKE '%.exe'
                  OR "TargetFilename" ILIKE '%.c'
                  OR "TargetFilename" ILIKE '%.cpp')
            THEN 'ExploitFileCreated'
        ELSE NULL
    END AS detection_branch
FROM events
WHERE
    LOGSOURCENAME(logsourceid) ILIKE '%Sysmon%'
    AND (
        /* Branch 1: Network connection to exploit repository (Sysmon Event 3) */
        (
            "EventID" = '3'
            AND (
                "DestinationHostname" ILIKE '%exploit-db.com%'
                OR "DestinationHostname" ILIKE '%packetstormsecurity.com%'
                OR "DestinationHostname" ILIKE '%sploitus.com%'
                OR "DestinationHostname" ILIKE '%0day.today%'
                OR "DestinationHostname" ILIKE '%vulners.com%'
                OR "DestinationHostname" ILIKE '%cxsecurity.com%'
                OR "DestinationHostname" ILIKE '%seebug.org%'
                OR "DestinationHostname" ILIKE '%bugs.chromium.org%'
            )
            AND "Image" NOT ILIKE '%\\svchost.exe'
            AND "Image" NOT ILIKE '%\\lsass.exe'
            AND "Image" NOT ILIKE '%\\services.exe'
        )
        OR
        /* Branch 2: Exploit toolchain process creation (Sysmon Event 1) */
        (
            "EventID" = '1'
            AND (
                "CommandLine" ILIKE '%searchsploit%'
                OR "CommandLine" ILIKE '%msfconsole%'
                OR "CommandLine" ILIKE '%msfvenom%'
                OR ("CommandLine" ILIKE '%nuclei%' AND "CommandLine" ILIKE '%cve%')
                OR (
                    ("Image" ILIKE '%\\python.exe' OR "Image" ILIKE '%\\python3.exe')
                    AND (
                        "CommandLine" ILIKE '%poc.py%'
                        OR "CommandLine" ILIKE '%exploit.py%'
                        OR "CommandLine" ILIKE '%CVE-20%'
                        OR "CommandLine" ILIKE '%cve-20%'
                    )
                )
                OR (
                    "Image" ILIKE '%\\ruby.exe'
                    AND ("CommandLine" ILIKE '%exploit.rb%' OR "CommandLine" ILIKE '%CVE-20%')
                )
                OR (
                    "Image" ILIKE '%\\perl.exe'
                    AND ("CommandLine" ILIKE '%exploit.pl%' OR "CommandLine" ILIKE '%CVE-20%')
                )
            )
        )
        OR
        /* Branch 3: CVE-named file creation (Sysmon Event 11) */
        (
            "EventID" = '11'
            AND (
                "TargetFilename" ILIKE '%CVE-20%'
                OR "TargetFilename" ILIKE '%cve-20%'
                OR "TargetFilename" ILIKE '%\\poc.%'
                OR "TargetFilename" ILIKE '%\\exploit.%'
                OR "TargetFilename" ILIKE '%0day.%'
            )
            AND (
                "TargetFilename" ILIKE '%.py'
                OR "TargetFilename" ILIKE '%.rb'
                OR "TargetFilename" ILIKE '%.sh'
                OR "TargetFilename" ILIKE '%.ps1'
                OR "TargetFilename" ILIKE '%.pl'
                OR "TargetFilename" ILIKE '%.exe'
                OR "TargetFilename" ILIKE '%.c'
                OR "TargetFilename" ILIKE '%.cpp'
            )
        )
    )
    AND detection_branch IS NOT NULL
    AND starttime > DATEADD(HOUR, -24, NOW())
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Windows Sysmon DSM (QRadar log source type 433) Windows Security Event Log DSM (supplementary process events via EventID 4688 if Sysmon unavailable) Network proxy or firewall flow data (supplementary for exploit site URL matching)

Required Tables

events (QRadar normalized event store) Sysmon DSM log source extension fields: EventID, Image, CommandLine, DestinationHostname, TargetFilename

False Positives

Authorized penetration testers running Metasploit Framework or searchsploit against sanctioned targets — cross-reference event sourceip against the authorized pentest asset register in CMDB before escalating.
Security operations analysts on dedicated threat intelligence workstations accessing exploit-db.com or vulners.com for IOC enrichment and research — these endpoints should be documented and username-filtered in the rule exclusion list.
CI/CD pipelines or developer workstations running nuclei as part of an integrated DAST pipeline against pre-production environments — the parent process tree will show CI runner processes such as jenkins.exe or gitlab-runner.exe as Image parent.
Security training environments (HackTheBox, TryHackMe, internal labs) where students download and execute CVE PoC scripts — lab subnet CIDRs should be excluded at the log source level.

Sumo Logic CSE

sql

// T1588.006 — Vulnerability Research: Indirect Detection via Sumo Logic
// Sources: Windows Sysmon XML events forwarded to Sumo Logic Installed Collector
_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon"
| parse regex "(?i)<EventID>(?<event_id>\d+)</EventID>" nodrop
| parse regex "(?i)<Data Name='Image'>(?<image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='CommandLine'>(?<command_line>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='ParentImage'>(?<parent_image>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='DestinationHostname'>(?<dest_hostname>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='DestinationPort'>(?<dest_port>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='TargetFilename'>(?<target_filename>[^<]+)</Data>" nodrop
| parse regex "(?i)<Data Name='User'>(?<user>[^<]+)</Data>" nodrop
| parse regex "(?i)<Computer>(?<computer>[^<]+)</Computer>" nodrop
// Filter to relevant Sysmon event IDs only
| where event_id in ("1", "3", "11")
// Apply branch-specific detection logic
| where (
    /* Branch 1: Sysmon Event 3 — Network connection to exploit repository */
    (
        event_id = "3"
        AND (
            dest_hostname matches "*exploit-db.com*"
            OR dest_hostname matches "*packetstormsecurity.com*"
            OR dest_hostname matches "*sploitus.com*"
            OR dest_hostname matches "*0day.today*"
            OR dest_hostname matches "*vulners.com*"
            OR dest_hostname matches "*cxsecurity.com*"
            OR dest_hostname matches "*seebug.org*"
            OR dest_hostname matches "*bugs.chromium.org*"
        )
        AND NOT (
            image matches "*\\svchost.exe"
            OR image matches "*\\lsass.exe"
            OR image matches "*\\services.exe"
        )
    )
    OR
    /* Branch 2: Sysmon Event 1 — Exploit tool process execution */
    (
        event_id = "1"
        AND (
            command_line matches "*searchsploit*"
            OR command_line matches "*msfconsole*"
            OR command_line matches "*msfvenom*"
            OR (command_line matches "*nuclei*" AND command_line matches "*cve*")
            OR (
                (
                    image matches "*\\python.exe"
                    OR image matches "*\\python3.exe"
                    OR image matches "*\\ruby.exe"
                    OR image matches "*\\perl.exe"
                )
                AND (
                    command_line matches "*poc.py*"
                    OR command_line matches "*exploit.py*"
                    OR command_line matches "*exploit.rb*"
                    OR command_line matches "*exploit.pl*"
                    OR command_line matches "*CVE-20*"
                    OR command_line matches "*cve-20*"
                )
            )
        )
    )
    OR
    /* Branch 3: Sysmon Event 11 — CVE-named or exploit-named file creation */
    (
        event_id = "11"
        AND (
            target_filename matches "*CVE-20*"
            OR target_filename matches "*cve-20*"
            OR target_filename matches "*\\poc.*"
            OR target_filename matches "*\\exploit.*"
            OR target_filename matches "*0day.*"
        )
        AND (
            target_filename matches "*.py"
            OR target_filename matches "*.rb"
            OR target_filename matches "*.sh"
            OR target_filename matches "*.ps1"
            OR target_filename matches "*.pl"
            OR target_filename matches "*.exe"
            OR target_filename matches "*.c"
            OR target_filename matches "*.cpp"
        )
    )
)
| eval detection_branch =
    if (event_id = "3", "ExploitSiteAccess",
        if (event_id = "1", "ExploitToolExecution", "ExploitFileCreated"))
| eval signal_detail =
    if (event_id = "3",
        concat("Process=", image, " | Dest=", dest_hostname, ":", dest_port),
        if (event_id = "1",
            concat("Command=", command_line),
            concat("File=", target_filename, " | Process=", image)))
| fields _messageTime, computer, user, detection_branch, signal_detail, image, command_line, target_filename, parent_image
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon operational log (EventIDs 1, 3, 11) via Sumo Logic Installed Collector Sumo Logic Cloud SIEM Enterprise (CSE) — normalized process, network, and file events from Windows endpoints Sumo Logic Windows Event Log source (supplementary for EventID 4688 process creation if Sysmon unavailable)

Required Tables

_sourceCategory=windows/sysmon (Sysmon XML events) _sourceCategory=os/windows/sysmon (alternate common naming convention)

False Positives

Security researchers with authorized access to exploit databases browsing packetstormsecurity.com or sploitus.com for vulnerability intelligence — these users should be identified by username/hostname and added to an allowlist partition in the search scope.
Vulnerability management teams running nuclei or Metasploit as part of scheduled internal scanning — the initiating process parent chain will typically include automation framework binaries; correlating with the scheduled scan calendar prevents false escalations.
Software developers working on security tooling or open-source CVE analysis projects who legitimately create CVE-named Python or C files — reviewing git activity on the same host around the file creation time can quickly distinguish defensive from offensive intent.
Antivirus or EDR quarantine operations that rename malicious files with exploit or CVE nomenclature as part of their isolation workflow — the parent Image field will show AV/EDR process names which can be allowlisted.

Google Chronicle / SecOps

yaral

// T1588.006 — Vulnerability Research: Chronicle YARA-L 2.0 Detection Bundle
// Three rules covering exploit site access, exploit tool execution, and CVE file creation.
// Deploy all three rules to Chronicle for complete coverage.

rule t1588_006_exploit_site_access {
  meta:
    author = "Detection Engineering"
    description = "T1588.006 Branch 1 — Internal endpoint connecting to a known exploit repository or vulnerability database"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.006"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    re.regex($e.target.hostname,
      `(?i)(exploit\-db\.com|packetstormsecurity\.com|sploitus\.com|0day\.today|vulners\.com|cxsecurity\.com|seebug\.org|bugs\.chromium\.org)`
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i)(\\svchost\.exe$|\\lsass\.exe$|\\services\.exe$)`
    )

  condition:
    $e
}

rule t1588_006_exploit_tool_execution {
  meta:
    author = "Detection Engineering"
    description = "T1588.006 Branch 2 — Exploit toolchain execution: searchsploit, Metasploit, nuclei with CVE templates, or CVE PoC scripts via interpreter"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.006"
    severity = "HIGH"
    confidence = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `(?i)searchsploit`)
      or re.regex($e.target.process.command_line, `(?i)msfconsole`)
      or re.regex($e.target.process.command_line, `(?i)msfvenom`)
      or (
        re.regex($e.target.process.command_line, `(?i)nuclei`) and
        re.regex($e.target.process.command_line, `(?i)(cve|\-t\s+cves)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(python(3)?\.exe$|ruby(\.exe)?$|perl(\.exe)?$)`) and
        re.regex($e.target.process.command_line,
          `(?i)(poc\.py|exploit\.py|exploit\.rb|exploit\.pl|CVE\-20[0-9]{2}\-[0-9]+|cve\-20[0-9]{2}\-[0-9]+)`
        )
      )
    )

  condition:
    $e
}

rule t1588_006_cve_file_creation {
  meta:
    author = "Detection Engineering"
    description = "T1588.006 Branch 3 — CVE-named, exploit-named, or 0day-named script or binary written to disk"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.006"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path,
      `(?i)(CVE\-20[0-9]{2}\-[0-9]+|[/\\]poc\.|[/\\]exploit\.|0day\.)`
    )
    re.regex($e.target.file.full_path,
      `(?i)\.(py|rb|sh|ps1|pl|exe|c|cpp)$`
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle Unified Data Model (UDM) — PROCESS_LAUNCH, NETWORK_CONNECTION, FILE_CREATION event types Google Chronicle forwarder with Windows endpoint telemetry (CrowdStrike, Carbon Black, SentinelOne, or Microsoft Defender for Endpoint via Chronicle ingestion) Chronicle network sensor or proxy log ingestion for NETWORK_CONNECTION events with hostname enrichment

Required Tables

UDM event type: PROCESS_LAUNCH (target.process.command_line, target.process.file.full_path) UDM event type: NETWORK_CONNECTION (target.hostname, principal.process.file.full_path) UDM event type: FILE_CREATION (target.file.full_path)

False Positives

Authorized red team operators executing Metasploit Framework or searchsploit — correlate alert timestamp and endpoint hostname against the red team engagement calendar and declared source IPs; confirmed engagements can be suppressed via rule exclusion on principal.hostname.
Threat intelligence and malware research teams browsing exploit databases on dedicated analysis VMs — these VMs are typically isolated network segments; confirm whether the principal.ip falls within the analysis subnet before escalating.
Automated vulnerability assessment tools running nuclei in CI/CD pipelines or scheduled scan jobs against pre-production infrastructure — the parent process chain will reflect the CI runner or task scheduler; correlate with the asset's role tag in CMDB.
Developers creating CVE-themed demo applications, security blog posts, or conference talk materials — the file creation path (e.g., home directory, desktop, Downloads) and surrounding file activity (git clone, editor processes) can help distinguish intent from offensive staging.

CrowdStrike LogScale (CQL)

cql

// T1588.006 — Vulnerability Research: CrowdStrike Falcon LogScale Detection
// Covers exploit site DNS/network, exploit tool process execution, and CVE file creation
// Requires: Falcon Insight EDR with Process, DNS, Network, and File telemetry enabled

#event_simpleName in ("ProcessRollup2", "DnsRequest", "NetworkConnectIP4", "NetworkConnectIP6", "NewExecutableWritten", "PeFileWritten")
| case {
    /* Branch 1a: DNS query to known exploit repository domain */
    #event_simpleName = "DnsRequest"
    AND DomainName = /(?i)(exploit\-db\.com|packetstormsecurity\.com|sploitus\.com|0day\.today|vulners\.com|cxsecurity\.com|seebug\.org|bugs\.chromium\.org)/
    | detection_branch := "ExploitSiteAccess_DNS"
    | signal_detail := format("[DNS] Domain=%s | Process=%s", field=[DomainName, ContextProcessName]) ;

    /* Branch 1b: TCP/IP connection to exploit repository IP (complements DNS branch) */
    #event_simpleName in ("NetworkConnectIP4", "NetworkConnectIP6")
    AND HttpHost = /(?i)(exploit\-db\.com|packetstormsecurity\.com|sploitus\.com|0day\.today|vulners\.com|cxsecurity\.com|seebug\.org)/
    | detection_branch := "ExploitSiteAccess_HTTP"
    | signal_detail := format("[Net] Host=%s | RemoteIP=%s:%s | Process=%s",
                              field=[HttpHost, RemoteAddressIP4, RemotePort, ImageFileName]) ;

    /* Branch 2: Exploit toolchain process execution */
    #event_simpleName = "ProcessRollup2"
    AND (
      CommandLine = /(?i)searchsploit/
      OR CommandLine = /(?i)msfconsole/
      OR CommandLine = /(?i)msfvenom/
      OR (CommandLine = /(?i)nuclei/ AND CommandLine = /(?i)(cve|\-t\s*cves)/)
      OR (
        ImageFileName = /(?i)(python(3)?(\.exe)?$|ruby(\.exe)?$|perl(\.exe)?$)/
        AND CommandLine = /(?i)(poc\.py|exploit\.py|exploit\.rb|exploit\.pl|CVE\-20[0-9]{2}\-[0-9]+|cve\-20[0-9]{2})/
      )
    )
    | detection_branch := "ExploitToolExecution"
    | signal_detail := format("[Exec] Process=%s | Command=%s",
                              field=[ImageFileName, CommandLine]) ;

    /* Branch 3: CVE-named or exploit-named executable/script written to disk */
    #event_simpleName in ("NewExecutableWritten", "PeFileWritten")
    AND TargetFileName = /(?i)(CVE\-20[0-9]{2}\-[0-9]+|[/\\]poc\.|[/\\]exploit\.|0day\.)/
    AND TargetFileName = /(?i)\.(py|rb|sh|ps1|pl|exe|c|cpp)$/
    | detection_branch := "ExploitFileCreated"
    | signal_detail := format("[File] Path=%s | WrittenBy=%s",
                              field=[TargetFileName, ImageFileName]) ;

    /* Drop events that match none of the branches */
    * | drop()
  }
| table(
    [@timestamp, ComputerName, UserName, detection_branch, signal_detail,
     ImageFileName, CommandLine, TargetFileName, RemoteAddressIP4],
    sortby=@timestamp,
    order=desc,
    limit=500
  )

high severity medium confidence

Data Sources

CrowdStrike Falcon Insight EDR — ProcessRollup2 (process creation), DnsRequest (DNS telemetry), NetworkConnectIP4/IP6 (network connections), NewExecutableWritten/PeFileWritten (file writes) CrowdStrike Falcon LogScale (formerly Humio) — event repository with Falcon data connector CrowdStrike Falcon sensor policy must have Process Activity, DNS Monitoring, Network Monitoring, and File Activity telemetry enabled for all in-scope host groups

Required Tables

#event_simpleName=ProcessRollup2 (fields: CommandLine, ImageFileName, UserName, ComputerName) #event_simpleName=DnsRequest (fields: DomainName, ContextProcessName, ComputerName) #event_simpleName=NetworkConnectIP4 or NetworkConnectIP6 (fields: HttpHost, RemoteAddressIP4, RemotePort, ImageFileName) #event_simpleName=NewExecutableWritten or PeFileWritten (fields: TargetFileName, ImageFileName, UserName)

False Positives

Authorized penetration testers running searchsploit or Metasploit from their assessment workstations — in Falcon, these hosts can be identified by hostname tag or host group membership (e.g., 'red-team-endpoints') and excluded from the query with a NOT ComputerName filter or prevention policy exception.
Security engineers running nuclei as part of internal DAST pipelines — the parent process tree in ProcessRollup2 will show CI/CD agent processes (e.g., jenkins.exe, runner.exe); correlating ParentImageFileName against known automation service accounts narrows false positive volume significantly.
Threat intelligence analysts or malware reverse engineers on isolated sandbox VMs downloading CVE PoC scripts from GitHub or exploit-db — DNS telemetry from isolated analysis networks (identifiable by sensor host group) can be scoped out with an additional AND NOT ComputerName = /sandbox/ filter.
Security certifications and CTF training (OSCP labs, HTB Pro Labs) where practitioners run Metasploit extensively — confirm the ComputerName is a training host via asset inventory and suppress with a host group exclusion rather than a blanket allowlist.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1588.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001Malware T1588.002Tool T1588.003Code Signing Certificates T1588.004Digital Certificates T1588.005Exploits T1588.007Artificial Intelligence

Vulnerabilities

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections