T1588.006 Google Chronicle · YARA-L

Detect Vulnerabilities in Google Chronicle

Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.006 Vulnerabilities
Canonical reference
https://attack.mitre.org/techniques/T1588/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
// T1588.006 — Vulnerability Research: Chronicle YARA-L 2.0 Detection Bundle
// Three rules covering exploit site access, exploit tool execution, and CVE file creation.
// Deploy all three rules to Chronicle for complete coverage.

rule t1588_006_exploit_site_access {
  meta:
    author = "Detection Engineering"
    description = "T1588.006 Branch 1 — Internal endpoint connecting to a known exploit repository or vulnerability database"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.006"
    severity = "HIGH"
    confidence = "MEDIUM"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "NETWORK_CONNECTION"
    re.regex($e.target.hostname,
      `(?i)(exploit\-db\.com|packetstormsecurity\.com|sploitus\.com|0day\.today|vulners\.com|cxsecurity\.com|seebug\.org|bugs\.chromium\.org)`
    )
    not re.regex($e.principal.process.file.full_path,
      `(?i)(\\svchost\.exe$|\\lsass\.exe$|\\services\.exe$)`
    )

  condition:
    $e
}

rule t1588_006_exploit_tool_execution {
  meta:
    author = "Detection Engineering"
    description = "T1588.006 Branch 2 — Exploit toolchain execution: searchsploit, Metasploit, nuclei with CVE templates, or CVE PoC scripts via interpreter"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.006"
    severity = "HIGH"
    confidence = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.command_line, `(?i)searchsploit`)
      or re.regex($e.target.process.command_line, `(?i)msfconsole`)
      or re.regex($e.target.process.command_line, `(?i)msfvenom`)
      or (
        re.regex($e.target.process.command_line, `(?i)nuclei`) and
        re.regex($e.target.process.command_line, `(?i)(cve|\-t\s+cves)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)(python(3)?\.exe$|ruby(\.exe)?$|perl(\.exe)?$)`) and
        re.regex($e.target.process.command_line,
          `(?i)(poc\.py|exploit\.py|exploit\.rb|exploit\.pl|CVE\-20[0-9]{2}\-[0-9]+|cve\-20[0-9]{2}\-[0-9]+)`
        )
      )
    )

  condition:
    $e
}

rule t1588_006_cve_file_creation {
  meta:
    author = "Detection Engineering"
    description = "T1588.006 Branch 3 — CVE-named, exploit-named, or 0day-named script or binary written to disk"
    mitre_attack_tactic = "Resource Development"
    mitre_attack_technique = "T1588.006"
    severity = "MEDIUM"
    confidence = "MEDIUM"
    priority = "MEDIUM"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    re.regex($e.target.file.full_path,
      `(?i)(CVE\-20[0-9]{2}\-[0-9]+|[/\\]poc\.|[/\\]exploit\.|0day\.)`
    )
    re.regex($e.target.file.full_path,
      `(?i)\.(py|rb|sh|ps1|pl|exe|c|cpp)$`
    )

  condition:
    $e
}
high severity medium confidence

Three Chronicle YARA-L 2.0 rules covering all branches of T1588.006 indirect detection using the UDM (Unified Data Model). Rule 1 (t1588_006_exploit_site_access) fires on NETWORK_CONNECTION events where the target hostname matches known exploit repositories, excluding Windows system process initiators. Rule 2 (t1588_006_exploit_tool_execution) fires on PROCESS_LAUNCH events where the command line matches exploit toolchain patterns including searchsploit, msfconsole, msfvenom, nuclei with CVE scope, and CVE PoC scripts invoked via Python/Ruby/Perl interpreters. Rule 3 (t1588_006_cve_file_creation) fires on FILE_CREATION events with CVE-identifier, exploit, or 0day naming patterns and executable script extensions. All three rules require endpoint telemetry forwarded to Chronicle via the Chronicle Forwarder or supported EDR integration that populates UDM PROCESS_LAUNCH, NETWORK_CONNECTION, and FILE_CREATION event types.

Data Sources

Chronicle Unified Data Model (UDM) — PROCESS_LAUNCH, NETWORK_CONNECTION, FILE_CREATION event typesGoogle Chronicle forwarder with Windows endpoint telemetry (CrowdStrike, Carbon Black, SentinelOne, or Microsoft Defender for Endpoint via Chronicle ingestion)Chronicle network sensor or proxy log ingestion for NETWORK_CONNECTION events with hostname enrichment

Required Tables

UDM event type: PROCESS_LAUNCH (target.process.command_line, target.process.file.full_path)UDM event type: NETWORK_CONNECTION (target.hostname, principal.process.file.full_path)UDM event type: FILE_CREATION (target.file.full_path)

False Positives & Tuning

  • Authorized red team operators executing Metasploit Framework or searchsploit — correlate alert timestamp and endpoint hostname against the red team engagement calendar and declared source IPs; confirmed engagements can be suppressed via rule exclusion on principal.hostname.
  • Threat intelligence and malware research teams browsing exploit databases on dedicated analysis VMs — these VMs are typically isolated network segments; confirm whether the principal.ip falls within the analysis subnet before escalating.
  • Automated vulnerability assessment tools running nuclei in CI/CD pipelines or scheduled scan jobs against pre-production infrastructure — the parent process chain will reflect the CI runner or task scheduler; correlate with the asset's role tag in CMDB.
  • Developers creating CVE-themed demo applications, security blog posts, or conference talk materials — the file creation path (e.g., home directory, desktop, Downloads) and surrounding file activity (git clone, editor processes) can help distinguish intent from offensive staging.
Download portable Sigma rule (.yml)

Other platforms for T1588.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exploit-DB Access via Command Line HTTP Client

    Expected signal: Sysmon Event ID 3 (Network Connection) with Image=/usr/bin/curl, DestinationHostname=www.exploit-db.com, DestinationPort=443. Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/exploitdb_search_result.html. Auditd EXECVE record for curl with exploit-db.com argument.

  2. Test 2searchsploit CVE Lookup

    Expected signal: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/searchsploit or /usr/local/bin/searchsploit, CommandLine=searchsploit CVE-2021-44228. Auditd EXECVE record with argv[0]=searchsploit, argv[1]=CVE-2021-44228. Process creates child grep/ruby processes to query the local database.

  3. Test 3Download and Stage CVE PoC Script

    Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/CVE-2021-44228-exploit.py. Sysmon Event ID 1 (Process Create) for touch and the shell writing to the file. Auditd OPEN record with path=/tmp/CVE-2021-44228-exploit.py and flags indicating write access.

  4. Test 4Nuclei CVE Template Scan Simulation

    Expected signal: Sysmon Event ID 1 (Process Create) with Image=/root/go/bin/nuclei (or similar), CommandLine containing '-t cves' and 'CVE-2021-44228'. Sysmon Event ID 3 (Network Connection) to 127.0.0.1:80 from nuclei process. Auditd EXECVE with argv containing 'nuclei', '-u', 'http://127.0.0.1', '-t', 'cves/2021/CVE-2021-44228.yaml'.

  5. Test 5Bulk CVE Research File Creation (Burst Pattern)

    Expected signal: Five Sysmon Event ID 11 (File Create) events in rapid succession, each with TargetFilename matching CVE-20*-poc.py pattern. Sysmon Event ID 1 for powershell.exe with New-Item commands. PowerShell ScriptBlock Log Event ID 4104 capturing the full foreach loop.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1588.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1588.005ExploitsT1587.004ExploitsT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1212Exploitation for Credential AccessT1068Exploitation for Privilege EscalationT1583Acquire InfrastructureT1595.002Vulnerability Scanning

Same Tactic: Resource Development

Popular Detections