T1588.006 Microsoft Sentinel · KQL

Detect Vulnerabilities in Microsoft Sentinel

Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1588 Obtain Capabilities
Sub-technique
T1588.006 Vulnerabilities
Canonical reference
https://attack.mitre.org/techniques/T1588/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1588.006 — Vulnerability Research: Indirect Detection
// Detects internal endpoints accessing exploit databases, executing exploit toolchains,
// or creating CVE-named files — indicators of insider threat, compromised research
// workstations, or adversary staging activity within the environment.
let ExploitRepositories = dynamic([
    "exploit-db.com", "www.exploit-db.com",
    "packetstormsecurity.com", "0day.today",
    "sploitus.com", "vulners.com",
    "cxsecurity.com", "seebug.org",
    "bugs.chromium.org/p/project-zero"
]);
let ExploitToolPatterns = dynamic([
    "searchsploit", "msfconsole", "msfvenom",
    "nuclei -t cves", "nuclei --template cve",
    " poc.py", "exploit.py", "exploit.rb",
    "exploit.pl", "exploit.sh",
    "python3 cve-", "python cve-", "ruby cve-"
]);
let CVEFilePatterns = dynamic([
    "CVE-20", "cve-20", "poc.", "0day.", "exploit."
]);
// Branch 1: Internal hosts making HTTP/S connections to known exploit repositories
let ExploitSiteAccess = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where RemoteUrl has_any (ExploitRepositories)
    or RemoteHostname has_any (ExploitRepositories)
| where InitiatingProcessFileName !in~ ("svchost.exe", "lsass.exe", "services.exe")
| extend DetectionBranch = "ExploitSiteAccess"
| extend SignalDetail = strcat("Process=", InitiatingProcessFileName, " | URL=", RemoteUrl)
| project Timestamp, DeviceName, AccountName, DetectionBranch, SignalDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
// Branch 2: Exploit tool execution (searchsploit, Metasploit, CVE PoC scripts)
let ExploitToolExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (ExploitToolPatterns)
    or (FileName in~ ("python.exe", "python3", "python3.exe", "ruby", "ruby.exe", "perl.exe", "perl")
        and ProcessCommandLine has_any (["poc.py", "exploit.py", "exploit.rb",
                                         "exploit.pl", "CVE-20", "cve-20"]))
| extend DetectionBranch = "ExploitToolExecution"
| extend SignalDetail = strcat("Command=", ProcessCommandLine)
| project Timestamp, DeviceName, AccountName, DetectionBranch, SignalDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine = ProcessCommandLine;
// Branch 3: CVE-named or exploit-named file creation on disk
let ExploitFileCreation = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName has_any (CVEFilePatterns)
    and (FileName endswith ".py" or FileName endswith ".rb" or FileName endswith ".sh"
         or FileName endswith ".exe" or FileName endswith ".ps1" or FileName endswith ".pl"
         or FileName endswith ".c" or FileName endswith ".cpp")
| extend DetectionBranch = "ExploitFileCreated"
| extend SignalDetail = strcat("File=", FolderPath, "\\", FileName,
                               " | Process=", InitiatingProcessFileName)
| project Timestamp, DeviceName, AccountName, DetectionBranch, SignalDetail,
          InitiatingProcessFileName, InitiatingProcessCommandLine;
// Union all branches
ExploitSiteAccess
| union ExploitToolExecution
| union ExploitFileCreation
| sort by Timestamp desc
medium severity low confidence

Detects indirect indicators of vulnerability research activity within the victim environment using Microsoft Defender for Endpoint telemetry. Three detection branches cover: (1) DeviceNetworkEvents showing internal endpoints connecting to known exploit repositories such as Exploit-DB, Packet Storm, and Sploitus; (2) DeviceProcessEvents detecting execution of exploit development toolchains including Metasploit, searchsploit, and CVE-named Python/Ruby/Perl scripts; (3) DeviceFileEvents identifying creation of files with CVE numbering or exploit-toolkit naming conventions. Because T1588.006 is a PRE-attack technique occurring on adversary infrastructure, these detections focus on insider threat scenarios, compromised researcher workstations, or adversaries validating exploit behavior within a target environment.

Data Sources

Network Traffic: Network Connection CreationProcess: Process CreationFile: File CreationMicrosoft Defender for Endpoint

Required Tables

DeviceNetworkEventsDeviceProcessEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate penetration testers and red team members accessing Exploit-DB or running Metasploit during authorized engagements
  • Security operations center analysts and threat intelligence analysts browsing vulnerability databases as part of daily research duties
  • Software developers and QA engineers creating files named with CVE identifiers when building patching tools, scanners, or security regression test suites
  • Academic or training environments where students execute public CVE PoC scripts in sandboxed lab systems that share endpoint telemetry with the production SIEM
  • Automated vulnerability management scanners (Tenable, Rapid7 InsightVM, Qualys) whose agent processes may trigger on exploit-named file patterns
Download portable Sigma rule (.yml)

Other platforms for T1588.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Exploit-DB Access via Command Line HTTP Client

    Expected signal: Sysmon Event ID 3 (Network Connection) with Image=/usr/bin/curl, DestinationHostname=www.exploit-db.com, DestinationPort=443. Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/exploitdb_search_result.html. Auditd EXECVE record for curl with exploit-db.com argument.

  2. Test 2searchsploit CVE Lookup

    Expected signal: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/searchsploit or /usr/local/bin/searchsploit, CommandLine=searchsploit CVE-2021-44228. Auditd EXECVE record with argv[0]=searchsploit, argv[1]=CVE-2021-44228. Process creates child grep/ruby processes to query the local database.

  3. Test 3Download and Stage CVE PoC Script

    Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/CVE-2021-44228-exploit.py. Sysmon Event ID 1 (Process Create) for touch and the shell writing to the file. Auditd OPEN record with path=/tmp/CVE-2021-44228-exploit.py and flags indicating write access.

  4. Test 4Nuclei CVE Template Scan Simulation

    Expected signal: Sysmon Event ID 1 (Process Create) with Image=/root/go/bin/nuclei (or similar), CommandLine containing '-t cves' and 'CVE-2021-44228'. Sysmon Event ID 3 (Network Connection) to 127.0.0.1:80 from nuclei process. Auditd EXECVE with argv containing 'nuclei', '-u', 'http://127.0.0.1', '-t', 'cves/2021/CVE-2021-44228.yaml'.

  5. Test 5Bulk CVE Research File Creation (Burst Pattern)

    Expected signal: Five Sysmon Event ID 11 (File Create) events in rapid succession, each with TargetFilename matching CVE-20*-poc.py pattern. Sysmon Event ID 1 for powershell.exe with New-Item commands. PowerShell ScriptBlock Log Event ID 4104 capturing the full foreach loop.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1588.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1588Obtain Capabilities

Related Sub-techniques

T1588.001MalwareT1588.002ToolT1588.003Code Signing CertificatesT1588.004Digital CertificatesT1588.005ExploitsT1588.007Artificial Intelligence

Related Techniques

T1588Obtain CapabilitiesT1588.005ExploitsT1587.004ExploitsT1190Exploit Public-Facing ApplicationT1203Exploitation for Client ExecutionT1212Exploitation for Credential AccessT1068Exploitation for Privilege EscalationT1583Acquire InfrastructureT1595.002Vulnerability Scanning

Same Tactic: Resource Development

Popular Detections