Which SIEM platforms have a T1588.006 detection rule?

df00tech provides T1588.006 (Vulnerabilities) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Vulnerabilities (T1588.006)?

Detecting Vulnerabilities requires the following data sources: Network Traffic: Network Connection Creation, Process: Process Creation, File: File Creation, Microsoft Defender for Endpoint.

What severity and confidence is the T1588.006 detection?

The T1588.006 detection is rated medium severity with low confidence.

What are common false positives for T1588.006?

Common false positives for T1588.006 include: Legitimate penetration testers and red team members accessing Exploit-DB or running Metasploit during authorized engagements; Security operations center analysts and threat intelligence analysts browsing vulnerability databases as part of daily research duties; Software developers and QA engineers creating files named with CVE identifiers when building patching tools, scanners, or security regression test suites.

T1588.006 CrowdStrike LogScale · LogScale

Detect Vulnerabilities in CrowdStrike LogScale

Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity.

MITRE ATT&CK

Tactic: Resource Development
Technique: T1588 Obtain Capabilities
Sub-technique: T1588.006 Vulnerabilities
Canonical reference: https://attack.mitre.org/techniques/T1588/006/

LogScale Detection Query

CrowdStrike LogScale (LogScale)

cql

// T1588.006 — Vulnerability Research: CrowdStrike Falcon LogScale Detection
// Covers exploit site DNS/network, exploit tool process execution, and CVE file creation
// Requires: Falcon Insight EDR with Process, DNS, Network, and File telemetry enabled

#event_simpleName in ("ProcessRollup2", "DnsRequest", "NetworkConnectIP4", "NetworkConnectIP6", "NewExecutableWritten", "PeFileWritten")
| case {
    /* Branch 1a: DNS query to known exploit repository domain */
    #event_simpleName = "DnsRequest"
    AND DomainName = /(?i)(exploit\-db\.com|packetstormsecurity\.com|sploitus\.com|0day\.today|vulners\.com|cxsecurity\.com|seebug\.org|bugs\.chromium\.org)/
    | detection_branch := "ExploitSiteAccess_DNS"
    | signal_detail := format("[DNS] Domain=%s | Process=%s", field=[DomainName, ContextProcessName]) ;

    /* Branch 1b: TCP/IP connection to exploit repository IP (complements DNS branch) */
    #event_simpleName in ("NetworkConnectIP4", "NetworkConnectIP6")
    AND HttpHost = /(?i)(exploit\-db\.com|packetstormsecurity\.com|sploitus\.com|0day\.today|vulners\.com|cxsecurity\.com|seebug\.org)/
    | detection_branch := "ExploitSiteAccess_HTTP"
    | signal_detail := format("[Net] Host=%s | RemoteIP=%s:%s | Process=%s",
                              field=[HttpHost, RemoteAddressIP4, RemotePort, ImageFileName]) ;

    /* Branch 2: Exploit toolchain process execution */
    #event_simpleName = "ProcessRollup2"
    AND (
      CommandLine = /(?i)searchsploit/
      OR CommandLine = /(?i)msfconsole/
      OR CommandLine = /(?i)msfvenom/
      OR (CommandLine = /(?i)nuclei/ AND CommandLine = /(?i)(cve|\-t\s*cves)/)
      OR (
        ImageFileName = /(?i)(python(3)?(\.exe)?$|ruby(\.exe)?$|perl(\.exe)?$)/
        AND CommandLine = /(?i)(poc\.py|exploit\.py|exploit\.rb|exploit\.pl|CVE\-20[0-9]{2}\-[0-9]+|cve\-20[0-9]{2})/
      )
    )
    | detection_branch := "ExploitToolExecution"
    | signal_detail := format("[Exec] Process=%s | Command=%s",
                              field=[ImageFileName, CommandLine]) ;

    /* Branch 3: CVE-named or exploit-named executable/script written to disk */
    #event_simpleName in ("NewExecutableWritten", "PeFileWritten")
    AND TargetFileName = /(?i)(CVE\-20[0-9]{2}\-[0-9]+|[/\\]poc\.|[/\\]exploit\.|0day\.)/
    AND TargetFileName = /(?i)\.(py|rb|sh|ps1|pl|exe|c|cpp)$/
    | detection_branch := "ExploitFileCreated"
    | signal_detail := format("[File] Path=%s | WrittenBy=%s",
                              field=[TargetFileName, ImageFileName]) ;

    /* Drop events that match none of the branches */
    * | drop()
  }
| table(
    [@timestamp, ComputerName, UserName, detection_branch, signal_detail,
     ImageFileName, CommandLine, TargetFileName, RemoteAddressIP4],
    sortby=@timestamp,
    order=desc,
    limit=500
  )

high severity medium confidence

Detects T1588.006 indirect indicators using CrowdStrike Falcon telemetry via LogScale CQL. Four branches are implemented using a case expression over Falcon event simple names: (1a) DnsRequest events where DomainName matches known exploit repositories; (1b) NetworkConnectIP4/IP6 events with an HttpHost header matching the same repository list for HTTP-layer correlation; (2) ProcessRollup2 events where CommandLine matches searchsploit, msfconsole, msfvenom, nuclei with CVE scope, or CVE PoC scripts via Python/Ruby/Perl; (3) NewExecutableWritten or PeFileWritten events where the target file path includes a CVE identifier, exploit, or 0day naming pattern with executable extensions. Events not matching any branch are dropped with drop(). Requires Falcon Insight EDR with Process, DNS, Network Connect, and File Write telemetry streams enabled in the sensor policy.

Data Sources

CrowdStrike Falcon Insight EDR — ProcessRollup2 (process creation), DnsRequest (DNS telemetry), NetworkConnectIP4/IP6 (network connections), NewExecutableWritten/PeFileWritten (file writes)CrowdStrike Falcon LogScale (formerly Humio) — event repository with Falcon data connectorCrowdStrike Falcon sensor policy must have Process Activity, DNS Monitoring, Network Monitoring, and File Activity telemetry enabled for all in-scope host groups

Required Tables

#event_simpleName=ProcessRollup2 (fields: CommandLine, ImageFileName, UserName, ComputerName)#event_simpleName=DnsRequest (fields: DomainName, ContextProcessName, ComputerName)#event_simpleName=NetworkConnectIP4 or NetworkConnectIP6 (fields: HttpHost, RemoteAddressIP4, RemotePort, ImageFileName)#event_simpleName=NewExecutableWritten or PeFileWritten (fields: TargetFileName, ImageFileName, UserName)

False Positives & Tuning

Authorized penetration testers running searchsploit or Metasploit from their assessment workstations — in Falcon, these hosts can be identified by hostname tag or host group membership (e.g., 'red-team-endpoints') and excluded from the query with a NOT ComputerName filter or prevention policy exception.
Security engineers running nuclei as part of internal DAST pipelines — the parent process tree in ProcessRollup2 will show CI/CD agent processes (e.g., jenkins.exe, runner.exe); correlating ParentImageFileName against known automation service accounts narrows false positive volume significantly.
Threat intelligence analysts or malware reverse engineers on isolated sandbox VMs downloading CVE PoC scripts from GitHub or exploit-db — DNS telemetry from isolated analysis networks (identifiable by sensor host group) can be scoped out with an additional AND NOT ComputerName = /sandbox/ filter.
Security certifications and CTF training (OSCP labs, HTB Pro Labs) where practitioners run Metasploit extensively — confirm the ComputerName is a training host via asset inventory and suppress with a host group exclusion rather than a blanket allowlist.

Download portable Sigma rule (.yml)

Other platforms for T1588.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Exploit-DB Access via Command Line HTTP Client
Expected signal: Sysmon Event ID 3 (Network Connection) with Image=/usr/bin/curl, DestinationHostname=www.exploit-db.com, DestinationPort=443. Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/exploitdb_search_result.html. Auditd EXECVE record for curl with exploit-db.com argument.
Test 2searchsploit CVE Lookup
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/searchsploit or /usr/local/bin/searchsploit, CommandLine=searchsploit CVE-2021-44228. Auditd EXECVE record with argv[0]=searchsploit, argv[1]=CVE-2021-44228. Process creates child grep/ruby processes to query the local database.
Test 3Download and Stage CVE PoC Script
Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/CVE-2021-44228-exploit.py. Sysmon Event ID 1 (Process Create) for touch and the shell writing to the file. Auditd OPEN record with path=/tmp/CVE-2021-44228-exploit.py and flags indicating write access.
Test 4Nuclei CVE Template Scan Simulation
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/root/go/bin/nuclei (or similar), CommandLine containing '-t cves' and 'CVE-2021-44228'. Sysmon Event ID 3 (Network Connection) to 127.0.0.1:80 from nuclei process. Auditd EXECVE with argv containing 'nuclei', '-u', 'http://127.0.0.1', '-t', 'cves/2021/CVE-2021-44228.yaml'.
Test 5Bulk CVE Research File Creation (Burst Pattern)
Expected signal: Five Sysmon Event ID 11 (File Create) events in rapid succession, each with TargetFilename matching CVE-20*-poc.py pattern. Sysmon Event ID 1 for powershell.exe with New-Item commands. PowerShell ScriptBlock Log Event ID 4104 capturing the full foreach loop.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1588.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Vulnerabilities in CrowdStrike LogScale

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1588.006

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Resource Development

Popular Detections

MITRE ATT&CK

LogScale Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1588.006

Testing Methodology

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Related Techniques

Same Tactic: Resource Development

Popular Detections

Get new detections in your inbox