Detect Vulnerabilities in IBM QRadar
Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.006 Vulnerabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1588/006/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip,
username,
QIDNAME(qid) AS event_name,
"EventID",
"Image",
"CommandLine",
"DestinationHostname",
"TargetFilename",
CASE
WHEN "EventID" = '3'
AND ("DestinationHostname" ILIKE '%exploit-db.com%'
OR "DestinationHostname" ILIKE '%packetstormsecurity.com%'
OR "DestinationHostname" ILIKE '%sploitus.com%'
OR "DestinationHostname" ILIKE '%0day.today%'
OR "DestinationHostname" ILIKE '%vulners.com%'
OR "DestinationHostname" ILIKE '%cxsecurity.com%'
OR "DestinationHostname" ILIKE '%seebug.org%'
OR "DestinationHostname" ILIKE '%bugs.chromium.org%')
THEN 'ExploitSiteAccess'
WHEN "EventID" = '1'
AND ("CommandLine" ILIKE '%searchsploit%'
OR "CommandLine" ILIKE '%msfconsole%'
OR "CommandLine" ILIKE '%msfvenom%'
OR ("CommandLine" ILIKE '%nuclei%' AND "CommandLine" ILIKE '%cve%')
OR ("Image" ILIKE '%\\python%.exe'
AND ("CommandLine" ILIKE '%poc.py%'
OR "CommandLine" ILIKE '%exploit.py%'
OR "CommandLine" ILIKE '%CVE-20%'
OR "CommandLine" ILIKE '%cve-20%'))
OR ("Image" ILIKE '%\\ruby%.exe'
AND ("CommandLine" ILIKE '%exploit.rb%'
OR "CommandLine" ILIKE '%CVE-20%'))
OR ("Image" ILIKE '%\\perl%.exe'
AND ("CommandLine" ILIKE '%exploit.pl%'
OR "CommandLine" ILIKE '%CVE-20%')))
THEN 'ExploitToolExecution'
WHEN "EventID" = '11'
AND ("TargetFilename" ILIKE '%CVE-20%'
OR "TargetFilename" ILIKE '%cve-20%'
OR "TargetFilename" ILIKE '%\\poc.%'
OR "TargetFilename" ILIKE '%\\exploit.%'
OR "TargetFilename" ILIKE '%0day.%')
AND ("TargetFilename" ILIKE '%.py'
OR "TargetFilename" ILIKE '%.rb'
OR "TargetFilename" ILIKE '%.sh'
OR "TargetFilename" ILIKE '%.ps1'
OR "TargetFilename" ILIKE '%.pl'
OR "TargetFilename" ILIKE '%.exe'
OR "TargetFilename" ILIKE '%.c'
OR "TargetFilename" ILIKE '%.cpp')
THEN 'ExploitFileCreated'
ELSE NULL
END AS detection_branch
FROM events
WHERE
LOGSOURCENAME(logsourceid) ILIKE '%Sysmon%'
AND (
/* Branch 1: Network connection to exploit repository (Sysmon Event 3) */
(
"EventID" = '3'
AND (
"DestinationHostname" ILIKE '%exploit-db.com%'
OR "DestinationHostname" ILIKE '%packetstormsecurity.com%'
OR "DestinationHostname" ILIKE '%sploitus.com%'
OR "DestinationHostname" ILIKE '%0day.today%'
OR "DestinationHostname" ILIKE '%vulners.com%'
OR "DestinationHostname" ILIKE '%cxsecurity.com%'
OR "DestinationHostname" ILIKE '%seebug.org%'
OR "DestinationHostname" ILIKE '%bugs.chromium.org%'
)
AND "Image" NOT ILIKE '%\\svchost.exe'
AND "Image" NOT ILIKE '%\\lsass.exe'
AND "Image" NOT ILIKE '%\\services.exe'
)
OR
/* Branch 2: Exploit toolchain process creation (Sysmon Event 1) */
(
"EventID" = '1'
AND (
"CommandLine" ILIKE '%searchsploit%'
OR "CommandLine" ILIKE '%msfconsole%'
OR "CommandLine" ILIKE '%msfvenom%'
OR ("CommandLine" ILIKE '%nuclei%' AND "CommandLine" ILIKE '%cve%')
OR (
("Image" ILIKE '%\\python.exe' OR "Image" ILIKE '%\\python3.exe')
AND (
"CommandLine" ILIKE '%poc.py%'
OR "CommandLine" ILIKE '%exploit.py%'
OR "CommandLine" ILIKE '%CVE-20%'
OR "CommandLine" ILIKE '%cve-20%'
)
)
OR (
"Image" ILIKE '%\\ruby.exe'
AND ("CommandLine" ILIKE '%exploit.rb%' OR "CommandLine" ILIKE '%CVE-20%')
)
OR (
"Image" ILIKE '%\\perl.exe'
AND ("CommandLine" ILIKE '%exploit.pl%' OR "CommandLine" ILIKE '%CVE-20%')
)
)
)
OR
/* Branch 3: CVE-named file creation (Sysmon Event 11) */
(
"EventID" = '11'
AND (
"TargetFilename" ILIKE '%CVE-20%'
OR "TargetFilename" ILIKE '%cve-20%'
OR "TargetFilename" ILIKE '%\\poc.%'
OR "TargetFilename" ILIKE '%\\exploit.%'
OR "TargetFilename" ILIKE '%0day.%'
)
AND (
"TargetFilename" ILIKE '%.py'
OR "TargetFilename" ILIKE '%.rb'
OR "TargetFilename" ILIKE '%.sh'
OR "TargetFilename" ILIKE '%.ps1'
OR "TargetFilename" ILIKE '%.pl'
OR "TargetFilename" ILIKE '%.exe'
OR "TargetFilename" ILIKE '%.c'
OR "TargetFilename" ILIKE '%.cpp'
)
)
)
AND detection_branch IS NOT NULL
AND starttime > DATEADD(HOUR, -24, NOW())
ORDER BY starttime DESC
LAST 24 HOURSDetects T1588.006 indirect indicators across three Sysmon event branches using QRadar AQL against the events table with Sysmon DSM parsing. Branch 1 matches Sysmon Event ID 3 (Network Connect) with destination hostnames in the exploit repository list, excluding known Windows system processes. Branch 2 matches Sysmon Event ID 1 (Process Create) for exploit tool command lines including searchsploit, msfconsole, msfvenom, and CVE PoC scripts run via Python/Ruby/Perl. Branch 3 matches Sysmon Event ID 11 (File Create) for CVE-named or exploit-named files with executable script extensions. Requires the Microsoft Windows Sysmon DSM to be installed in QRadar and log source extensions configured to extract Image, CommandLine, DestinationHostname, and TargetFilename custom properties from the Sysmon XML payload.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testers running Metasploit Framework or searchsploit against sanctioned targets — cross-reference event sourceip against the authorized pentest asset register in CMDB before escalating.
- Security operations analysts on dedicated threat intelligence workstations accessing exploit-db.com or vulners.com for IOC enrichment and research — these endpoints should be documented and username-filtered in the rule exclusion list.
- CI/CD pipelines or developer workstations running nuclei as part of an integrated DAST pipeline against pre-production environments — the parent process tree will show CI runner processes such as jenkins.exe or gitlab-runner.exe as Image parent.
- Security training environments (HackTheBox, TryHackMe, internal labs) where students download and execute CVE PoC scripts — lab subnet CIDRs should be excluded at the log source level.
Other platforms for T1588.006
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exploit-DB Access via Command Line HTTP Client
Expected signal: Sysmon Event ID 3 (Network Connection) with Image=/usr/bin/curl, DestinationHostname=www.exploit-db.com, DestinationPort=443. Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/exploitdb_search_result.html. Auditd EXECVE record for curl with exploit-db.com argument.
- Test 2searchsploit CVE Lookup
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/searchsploit or /usr/local/bin/searchsploit, CommandLine=searchsploit CVE-2021-44228. Auditd EXECVE record with argv[0]=searchsploit, argv[1]=CVE-2021-44228. Process creates child grep/ruby processes to query the local database.
- Test 3Download and Stage CVE PoC Script
Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/CVE-2021-44228-exploit.py. Sysmon Event ID 1 (Process Create) for touch and the shell writing to the file. Auditd OPEN record with path=/tmp/CVE-2021-44228-exploit.py and flags indicating write access.
- Test 4Nuclei CVE Template Scan Simulation
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/root/go/bin/nuclei (or similar), CommandLine containing '-t cves' and 'CVE-2021-44228'. Sysmon Event ID 3 (Network Connection) to 127.0.0.1:80 from nuclei process. Auditd EXECVE with argv containing 'nuclei', '-u', 'http://127.0.0.1', '-t', 'cves/2021/CVE-2021-44228.yaml'.
- Test 5Bulk CVE Research File Creation (Burst Pattern)
Expected signal: Five Sysmon Event ID 11 (File Create) events in rapid succession, each with TargetFilename matching CVE-20*-poc.py pattern. Sysmon Event ID 1 for powershell.exe with New-Item commands. PowerShell ScriptBlock Log Event ID 4104 capturing the full foreach loop.
References (10)
- https://attack.mitre.org/techniques/T1588/006/
- https://nvd.nist.gov/
- https://www.exploit-db.com/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.microsoft.com/en-us/security/blog/2023/09/06/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://github.com/projectdiscovery/nuclei-templates/tree/main/cves
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/trickest/cve
Unlock Pro Content
Get the full detection package for T1588.006 including response playbook, investigation guide, and atomic red team tests.