title: Vulnerabilities (T1588.006)
id: df00tech-t1588-006
status: experimental
description: "Adversaries may acquire information about vulnerabilities to use during targeting. A vulnerability is a weakness in computer hardware or software that can potentially be exploited to cause unintended behavior. Adversaries monitor vulnerability disclosures and databases (NVD, Exploit-DB, Packet Storm, closed markets) to identify exploitable weaknesses, often targeting organizations that conduct vulnerability research to obtain pre-disclosure intelligence. Because this technique occurs on adversary-controlled infrastructure before victim engagement, direct detection is impossible via standard SIEM telemetry. Detection pivots to indirect indicators observable in the victim environment: internal endpoints accessing exploit repositories (indicating insider threat or compromised research workstations), exploit development toolchain execution, CVE-named file creation, and correlation between public CVE disclosure timelines and subsequent exploitation attempts against organizational assets. Real-world actors including Sandworm Team and Volt Typhoon have leveraged CVE research for initial access, making post-disclosure exploitation windows a critical detection opportunity."
references:
  - https://attack.mitre.org/techniques/T1588/006/
  - https://df00tech.com/detections/T1588.006
author: df00tech
date: 2026/04/13
tags:
  - attack.t1588.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate penetration testers and red team members accessing Exploit-DB or running Metasploit during authorized engagements
  - Security operations center analysts and threat intelligence analysts browsing vulnerability databases as part of daily research duties
  - "Software developers and QA engineers creating files named with CVE identifiers when building patching tools, scanners, or security regression test suites"
  - Academic or training environments where students execute public CVE PoC scripts in sandboxed lab systems that share endpoint telemetry with the production SIEM
  - "Automated vulnerability management scanners (Tenable, Rapid7 InsightVM, Qualys) whose agent processes may trigger on exploit-named file patterns"
level: medium