Detect Vulnerabilities in Elastic Security
Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.006 Vulnerabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1588/006/
Elastic Detection Query
any where
(
/* Branch 1: Internal endpoint connecting to known exploit repositories */
event.category == "network" and
destination.domain like~ (
"*exploit-db.com*", "*packetstormsecurity.com*", "*sploitus.com*",
"*0day.today*", "*vulners.com*", "*cxsecurity.com*",
"*seebug.org*", "*bugs.chromium.org*"
) and
not process.name in~ ("svchost.exe", "lsass.exe", "services.exe")
)
or
(
/* Branch 2: Exploit toolchain execution — searchsploit, Metasploit, CVE PoC scripts */
event.category == "process" and event.type == "start" and
(
process.command_line like~ "*searchsploit*" or
process.command_line like~ "*msfconsole*" or
process.command_line like~ "*msfvenom*" or
(process.command_line like~ "*nuclei*" and process.command_line like~ "*cve*") or
(
process.name in~ ("python.exe", "python3", "python3.exe", "ruby", "ruby.exe", "perl", "perl.exe") and
(
process.command_line like~ "*poc.py*" or
process.command_line like~ "*exploit.py*" or
process.command_line like~ "*exploit.rb*" or
process.command_line like~ "*exploit.pl*" or
process.command_line like~ "*CVE-20*" or
process.command_line like~ "*cve-20*"
)
)
)
)
or
(
/* Branch 3: CVE-named or exploit-named script/binary created on disk */
event.category == "file" and event.type == "creation" and
(
file.name like~ "CVE-20*" or
file.name like~ "cve-20*" or
file.name like~ "poc.*" or
file.name like~ "0day.*" or
file.name like~ "exploit.*"
) and
file.extension in~ ("py", "rb", "sh", "exe", "ps1", "pl", "c", "cpp")
)Detects T1588.006 indirect indicators via three branches using Elastic ECS: (1) outbound network connections from internal endpoints to exploit repositories such as exploit-db.com, packetstormsecurity.com, sploitus.com, and vulners.com, excluding known system processes; (2) process launch events for exploit toolchain utilities including searchsploit, msfconsole, msfvenom, nuclei with CVE templates, and CVE-named PoC scripts executed via Python, Ruby, or Perl interpreters; (3) file creation events where the filename contains a CVE identifier, 'poc', 'exploit', or '0day' with executable script extensions. Requires Elastic Endpoint Security agent or Winlogbeat with Sysmon forwarding ECS-normalized events.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team operators or penetration testers running Metasploit, searchsploit, or nuclei against in-scope targets — correlate with change management records and authorized testing windows before escalating.
- Security researchers and threat intelligence analysts on dedicated research workstations browsing exploit-db.com or vulners.com for defensive purposes — consider allowlisting specific analyst machine hostnames after vetting.
- Automated vulnerability scanners (Tenable, Qualys, Rapid7 Nexpose) spawning nuclei or similar tools as part of scheduled assessments — scanner host IPs should be allowlisted by asset tag or subnet.
- Security awareness training platforms or CTF environments where students clone and run CVE PoC code as part of controlled exercises — lab network segments can be excluded by CIDR block.
Other platforms for T1588.006
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exploit-DB Access via Command Line HTTP Client
Expected signal: Sysmon Event ID 3 (Network Connection) with Image=/usr/bin/curl, DestinationHostname=www.exploit-db.com, DestinationPort=443. Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/exploitdb_search_result.html. Auditd EXECVE record for curl with exploit-db.com argument.
- Test 2searchsploit CVE Lookup
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/searchsploit or /usr/local/bin/searchsploit, CommandLine=searchsploit CVE-2021-44228. Auditd EXECVE record with argv[0]=searchsploit, argv[1]=CVE-2021-44228. Process creates child grep/ruby processes to query the local database.
- Test 3Download and Stage CVE PoC Script
Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/CVE-2021-44228-exploit.py. Sysmon Event ID 1 (Process Create) for touch and the shell writing to the file. Auditd OPEN record with path=/tmp/CVE-2021-44228-exploit.py and flags indicating write access.
- Test 4Nuclei CVE Template Scan Simulation
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/root/go/bin/nuclei (or similar), CommandLine containing '-t cves' and 'CVE-2021-44228'. Sysmon Event ID 3 (Network Connection) to 127.0.0.1:80 from nuclei process. Auditd EXECVE with argv containing 'nuclei', '-u', 'http://127.0.0.1', '-t', 'cves/2021/CVE-2021-44228.yaml'.
- Test 5Bulk CVE Research File Creation (Burst Pattern)
Expected signal: Five Sysmon Event ID 11 (File Create) events in rapid succession, each with TargetFilename matching CVE-20*-poc.py pattern. Sysmon Event ID 1 for powershell.exe with New-Item commands. PowerShell ScriptBlock Log Event ID 4104 capturing the full foreach loop.
References (10)
- https://attack.mitre.org/techniques/T1588/006/
- https://nvd.nist.gov/
- https://www.exploit-db.com/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.microsoft.com/en-us/security/blog/2023/09/06/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://github.com/projectdiscovery/nuclei-templates/tree/main/cves
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/trickest/cve
Unlock Pro Content
Get the full detection package for T1588.006 including response playbook, investigation guide, and atomic red team tests.