Detect Vulnerabilities in Splunk
Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1588 Obtain Capabilities
- Sub-technique
- T1588.006 Vulnerabilities
- Canonical reference
- https://attack.mitre.org/techniques/T1588/006/
SPL Detection Query
// T1588.006 — Vulnerability Research: Indirect Detection via Sysmon + Web Proxy
// Three detection branches: exploit site web access, exploit tool execution, CVE file creation
(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3
(DestinationHostname="*exploit-db.com*" OR DestinationHostname="*packetstormsecurity.com*"
OR DestinationHostname="*sploitus.com*" OR DestinationHostname="*0day.today*"
OR DestinationHostname="*vulners.com*" OR DestinationHostname="*cxsecurity.com*"
OR DestinationHostname="*seebug.org*")
NOT (Image="*\\svchost.exe" OR Image="*\\lsass.exe" OR Image="*\\services.exe")
| eval detection_branch="ExploitSiteAccess"
| eval signal_detail="Process=".Image." | Destination=".DestinationHostname.":".DestinationPort
)
OR
(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(
(CommandLine="*searchsploit*") OR (CommandLine="*msfconsole*") OR
(CommandLine="*msfvenom*") OR (CommandLine="*nuclei*" AND (CommandLine="*cve*" OR CommandLine="*-t cves*"))
OR
(
(Image="*\\python.exe" OR Image="*\\python3.exe" OR Image="*\\ruby.exe" OR Image="*\\perl.exe")
AND (CommandLine="*poc.py*" OR CommandLine="*exploit.py*" OR CommandLine="*exploit.rb*"
OR CommandLine="*exploit.pl*" OR CommandLine="*CVE-20*" OR CommandLine="*cve-20*")
)
)
| eval detection_branch="ExploitToolExecution"
| eval signal_detail="Command=".CommandLine
)
OR
(
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
(
(TargetFilename="*CVE-20*" OR TargetFilename="*cve-20*" OR TargetFilename="*\\poc.*"
OR TargetFilename="*\\exploit.*" OR TargetFilename="*0day.*")
AND (TargetFilename="*.py" OR TargetFilename="*.rb" OR TargetFilename="*.sh"
OR TargetFilename="*.pl" OR TargetFilename="*.exe" OR TargetFilename="*.ps1"
OR TargetFilename="*.c" OR TargetFilename="*.cpp")
)
| eval detection_branch="ExploitFileCreated"
| eval signal_detail="File=".TargetFilename." | Process=".Image
)
| eval detection_branch=coalesce(detection_branch, "Unknown")
| eval signal_detail=coalesce(signal_detail, "")
| table _time, host, User, detection_branch, signal_detail, Image, CommandLine, ParentImage
| sort - _timeDetects indirect vulnerability research activity using Sysmon operational logs. Three independent detection branches are unioned: (1) Sysmon Event ID 3 (Network Connection) to known exploit repository hostnames including Exploit-DB, Packet Storm, Sploitus, and Vulners; (2) Sysmon Event ID 1 (Process Create) matching exploit toolchain commands including Metasploit, searchsploit, Nuclei CVE templates, and CVE-named Python/Ruby/Perl scripts; (3) Sysmon Event ID 11 (File Create) for files with CVE identifiers or exploit naming conventions with executable extensions. Results are tagged with a detection_branch field to help analysts triage the signal type. Confidence is low because all indicators are indirect proxies for a PRE-attack technique that fundamentally occurs outside the victim environment.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testers and red team operators running Metasploit, searchsploit, or Nuclei during sanctioned engagements
- Security researchers and threat intel analysts browsing Exploit-DB or Vulners as part of their regular vulnerability tracking workflow
- Developers building security tooling who create files named with CVE identifiers for test cases, patch validators, or vulnerability scanners
- Automated vulnerability management agents downloading CVE-related content during scheduled scan cycles
- CTF (Capture the Flag) participants working on competition challenges from corporate endpoints
Other platforms for T1588.006
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Exploit-DB Access via Command Line HTTP Client
Expected signal: Sysmon Event ID 3 (Network Connection) with Image=/usr/bin/curl, DestinationHostname=www.exploit-db.com, DestinationPort=443. Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/exploitdb_search_result.html. Auditd EXECVE record for curl with exploit-db.com argument.
- Test 2searchsploit CVE Lookup
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/usr/bin/searchsploit or /usr/local/bin/searchsploit, CommandLine=searchsploit CVE-2021-44228. Auditd EXECVE record with argv[0]=searchsploit, argv[1]=CVE-2021-44228. Process creates child grep/ruby processes to query the local database.
- Test 3Download and Stage CVE PoC Script
Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=/tmp/CVE-2021-44228-exploit.py. Sysmon Event ID 1 (Process Create) for touch and the shell writing to the file. Auditd OPEN record with path=/tmp/CVE-2021-44228-exploit.py and flags indicating write access.
- Test 4Nuclei CVE Template Scan Simulation
Expected signal: Sysmon Event ID 1 (Process Create) with Image=/root/go/bin/nuclei (or similar), CommandLine containing '-t cves' and 'CVE-2021-44228'. Sysmon Event ID 3 (Network Connection) to 127.0.0.1:80 from nuclei process. Auditd EXECVE with argv containing 'nuclei', '-u', 'http://127.0.0.1', '-t', 'cves/2021/CVE-2021-44228.yaml'.
- Test 5Bulk CVE Research File Creation (Burst Pattern)
Expected signal: Five Sysmon Event ID 11 (File Create) events in rapid succession, each with TargetFilename matching CVE-20*-poc.py pattern. Sysmon Event ID 1 for powershell.exe with New-Item commands. PowerShell ScriptBlock Log Event ID 4104 capturing the full foreach loop.
References (10)
- https://attack.mitre.org/techniques/T1588/006/
- https://nvd.nist.gov/
- https://www.exploit-db.com/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
- https://www.microsoft.com/en-us/security/blog/2023/09/06/storm-0501-ransomware-attacks-expanding-to-hybrid-cloud-environments/
- https://github.com/projectdiscovery/nuclei-templates/tree/main/cves
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/trickest/cve
Unlock Pro Content
Get the full detection package for T1588.006 including response playbook, investigation guide, and atomic red team tests.