Skip to content
VigilGuard Logo VigilGuard
Contact Us
EASM Platform VendorGuard ITRM Platform

Exploitation Availability

Exploitation Availability

Section titled “Exploitation Availability”

5 automated security scanners

Public POC Monitoring

Section titled “Public POC Monitoring”

Purpose: The Public POC Monitoring Scanner is designed to identify and alert about publicly available proof-of-concept (PoC) exploits related to a specified domain. It scans GitHub repositories, ExploitDB entries, social media platforms, Shodan API data, and VirusTotal reputation to detect potential vulnerabilities or exploitation attempts that could pose a risk to the security of the targeted infrastructure.

What It Detects:

  • GitHub Exploits: Scans GitHub repositories for code snippets containing known CVE identifiers, indicating potential vulnerabilities in specific services or applications associated with the domain.
  • ExploitDB Entries: Searches the Offensive Security Exploit Database (ExploitDB) for entries related to the domain, potentially revealing publicly available exploits that could be used against the infrastructure.
  • Social Media Code Sharing: Monitors social media platforms like Twitter and Reddit for shared code snippets or links to repositories containing potential exploits, identifying discussions about vulnerabilities in relation to the domain.
  • Shodan API Data: Utilizes the Shodan API to find exposed services and devices associated with the domain, detecting known vulnerabilities reported by Shodan.
  • VirusTotal Domain/IP Reputation: Checks the reputation of the domain and its IP addresses using the VirusTotal API, identifying any malicious activities or threats associated with the domain’s online presence.

Inputs Required:

  • domain (string): The primary domain to analyze (e.g., acme.com). This is essential for directing the scanner’s searches towards relevant targets.

Business Impact: This tool is crucial for organizations looking to proactively identify and mitigate potential security risks posed by publicly available PoC exploits. By detecting such exploits early, organizations can take immediate steps to patch vulnerabilities or implement other preventive measures, safeguarding their digital assets from potential exploitation attempts.

Risk Levels:

  • Critical: Findings that directly indicate active exploitation attempts or critical vulnerabilities in the infrastructure should be considered critical. This includes instances where known PoC exploits are actively circulating on GitHub repositories or social media platforms.
  • High: High risk is assigned to findings that suggest potential exposure to high-severity vulnerabilities, such as those found through Shodan API scans or identified discussions about exploiting the domain’s services on social media.
  • Medium: Medium risk applies to situations where there are indications of medium-severity vulnerabilities being discussed in a public forum, but no clear evidence of active exploitation.
  • Low: Low risk findings include informational alerts about potential vulnerabilities that may not yet have been exploited or disclosed widely, requiring monitoring for future developments.
  • Info: Informational findings pertain to general discussions about the domain and its services without specific mention of vulnerabilities or exploits.

Example Findings:

  • A GitHub repository containing a PoC exploit script for a known vulnerability in Apache Tomcat (CVE-2021-24112).
  • An ExploitDB entry indicating an exploit for a recently disclosed vulnerability in Microsoft Exchange Server that could be used to gain unauthorized access.
  • Social media posts discussing potential exploits for the domain’s web application, prompting further investigation into the vulnerabilities and possible mitigations.

Weaponization Time Tracking

Section titled “Weaponization Time Tracking”

Purpose: The Weaponization Time Tracking Scanner is designed to detect the timeline from vulnerability discovery to exploitation and identify mass exploitation timing by analyzing threat intelligence feeds such as Shodan, VirusTotal, CISA KEV, and others. This tool helps in understanding how quickly vulnerabilities are being weaponized and exploited in the wild.

What It Detects:

  • Vulnerability Disclosure Timeline: Identifies the date of vulnerability disclosure using CVE IDs from NVD/CVE database and tracks the time between vulnerability publication and first observed exploitation.
  • Mass Exploitation Timing: Detects patterns indicating mass exploitation, such as spikes in malicious activity or widespread scanning activities, by analyzing Shodan data to identify instances where a vulnerability is being actively scanned or exploited across multiple targets.
  • Known Exploited Vulnerabilities (KEV): Cross-references identified vulnerabilities with the CISA KEV list to determine if they are known to be exploited in the wild and provides insights into their severity and urgency for patching.
  • Malicious Activity Indicators: Uses VirusTotal API to check domain/IP reputation for malicious activity, identifying patterns indicative of malware, ransomware, or other forms of malicious software associated with the target domain.
  • Command and Control (C2) Server Detection: Searches for indicators related to command and control servers in Shodan results, analyzing network traffic data from Shodan to identify potential C2 server activities.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com).

Business Impact: This scanner is crucial for organizations and security teams aiming to understand the speed at which vulnerabilities are being exploited in real-world scenarios. It helps prioritize patching efforts, enhance network security posture, and respond effectively to emerging threats by providing insights into the weaponization timeline and mass exploitation activities.

Risk Levels:

  • Critical: The scanner identifies critical vulnerabilities that have been known to be actively exploited in the wild, indicating a high risk of immediate impact on systems and networks.
  • High: Vulnerabilities are identified with potential for rapid dissemination and exploitation, requiring prompt attention and mitigation strategies.
  • Medium: Vulnerabilities are detected but may not yet indicate widespread exploitation; however, they still pose a significant threat if exploited.
  • Low: Informational findings about vulnerabilities that have been disclosed but do not currently indicate active exploitation or high risk of impact.
  • Info: Findings related to general vulnerability information and trends that provide background knowledge but are less critical in terms of immediate security risks.

Example Findings:

  1. A critical vulnerability (e.g., CVE-2021-44228) has been disclosed on December 10, 2021, with evidence of active exploitation across multiple targets identified through Shodan data.
  2. A high severity vulnerability (e.g., CVE-XXXX-XXXX) is known to be exploited in the wild and has been cross-referenced with the CISA KEV list, indicating a need for immediate patching and mitigation measures.

Exploit Broker Listings

Section titled “Exploit Broker Listings”

Purpose: The Exploit Broker Listings Scanner is designed to identify and analyze potential threats posed by zero-day exploits and vulnerability pricing in exploit broker listings. By scanning data from threat intelligence feeds such as Shodan, VirusTotal, CISA KEV, and dark web sources, this tool helps organizations detect possible vulnerabilities that could be exploited for malicious activities.

What It Detects:

  • Zero-Day Market Availability: Identifies mentions of zero-day exploits in dark web forums and marketplaces, as well as the listing of previously unknown vulnerabilities not yet patched.
  • Vulnerability Pricing: Extracts pricing information for specific vulnerabilities from exploit broker listings to assess their potential impact and availability.
  • Threat Indicators: Looks for patterns related to known vulnerabilities (e.g., CVE identifiers) and identifies mentions of malware, ransomware, trojans, command and control servers, phishing, and credential harvesting.
  • Exposure Indicators: Detects phrases indicating data exposure, leaks, or breaches, as well as instances of unauthorized access and data dumps.
  • Known Exploited Vulnerabilities (KEV): Cross-references detected vulnerabilities with the CISA KEV list to highlight vulnerabilities that are actively being used in attacks.

Inputs Required:

  • domain (string): Primary domain to analyze, providing a specific target for analysis and detection of potential threats.

Business Impact: This scanner is crucial for organizations aiming to secure their digital assets by identifying and mitigating the risks associated with zero-day exploits and exploitable vulnerabilities. Understanding the availability and pricing of such exploits can significantly enhance an organization’s security posture, enabling proactive measures to be taken against potential cyber threats.

Risk Levels:

  • Critical: Identifies vulnerabilities that have been exploited in real attacks or are highly critical due to their widespread use in malicious activities.
  • High: Indicates significant risks associated with known but unpatched vulnerabilities that could be easily exploited, posing a high threat to the organization’s security.
  • Medium: Detects vulnerabilities where exploitation might require some effort but still poses a potential risk if not addressed promptly.
  • Low: Informational findings about less critical vulnerabilities or indicators of exposure that do not currently pose an immediate threat.
  • Info: Provides general information on the reputation and activity related to the domain, useful for baseline security assessments.

Example Findings:

  • A zero-day exploit detected in a dark web forum indicating potential unauthorized access and data breaches.
  • A vulnerability listed with a high price suggesting its potential impact on critical systems if exploited.

Metasploit Module Tracking

Section titled “Metasploit Module Tracking”

Purpose: The Metasploit Module Tracking Scanner is designed to detect active development and usage of Metasploit modules in cyber campaigns by analyzing threat intelligence feeds such as Shodan, VirusTotal, CISA KEV, and the dark web. This tool helps identify potential exploitation activities targeting specific domains, enabling proactive security measures against malicious actors.

What It Detects:

  • Active Module Development Indicators: The scanner identifies new or recently updated Metasploit modules related to the target domain and those whose names and descriptions match known attack vectors.
  • Usage in Campaigns: It tracks mentions of Metasploit modules in threat intelligence feeds and analyzes dark web forums for discussions involving Metasploit usage against the target domain.
  • Vulnerability Exploitation Patterns: The scanner matches CVE identifiers linked to Metasploit modules with vulnerabilities affecting the target domain and identifies known exploited vulnerabilities (KEV) that have corresponding Metasploit modules.
  • IP Reputation Analysis: It checks IPs associated with the target domain for malicious activities using AbuseIPDB and Shodan, correlating these IPs with known Metasploit module usage patterns.
  • Domain/IP Reputation Analysis: The scanner evaluates the reputation of the target domain and its IPs using VirusTotal, identifying any suspicious activities or malware associations that could indicate exploitation attempts.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com)

Business Impact: This tool is crucial for organizations aiming to secure their digital assets by proactively detecting potential cyber threats and vulnerabilities exploited through Metasploit modules. Understanding the active development and usage of these modules can help in implementing timely security patches and enhancing overall cybersecurity posture.

Risk Levels:

  • Critical: The scanner identifies new or recently updated Metasploit modules directly related to the target domain, indicating a high risk of immediate exploitation.
  • High: Tracking mentions of Metasploit modules in threat intelligence feeds and discussions on the dark web suggests significant potential for ongoing exploitation attempts targeting specific vulnerabilities.
  • Medium: Correlating IPs with known Metasploit module usage patterns points to moderate risk, potentially indicating targeted but less severe exploitation activities.
  • Low: Evaluating domain/IP reputation using VirusTotal and Shodan flags low risk unless there are indications of recent malicious activity or significant vulnerabilities affecting the organization’s systems.
  • Info: Informational findings such as general mentions of Metasploit without specific targeting do not pose immediate risks but should be monitored for trends that might indicate future threats.

Example Findings:

  1. The scanner detects a recently updated Metasploit module specifically targeting the finance sector, indicating an imminent high-risk exploitation attempt.
  2. Dark web discussions suggest multiple instances of attempted exploitation using known vulnerabilities linked to Metasploit modules, highlighting significant potential for ongoing threats.

CISA KEV Tracking

Section titled “CISA KEV Tracking”

Purpose: The CISA KEV Tracking Scanner is designed to identify and alert users about potential vulnerabilities that have been exploited in systems. By scanning for known exploited vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, this tool helps organizations ensure their systems are not vulnerable to widely recognized threats.

What It Detects:

  • CVE Presence in CISA KEV Catalog: Identifies CVEs associated with the domain that are listed in the CISA KEV catalog.
  • Malware or Ransomware Indicators: Detects mentions of malware, ransomware, or trojan activities related to the domain.
  • Command and Control (C2) Activity Indicators: Identifies references to command and control servers or activities that could indicate malicious activity.
  • Phishing and Credential Harvesting Indicators: Detects mentions of phishing attempts or credential harvesting efforts targeting the domain.
  • Exposure Indicators: Identifies signs of data exposure, leaks, breaches, unauthorized access, or data dumps related to the domain.

Inputs Required:

  • domain (string): Primary domain to analyze (e.g., acme.com). This is essential for scanning and identifying potential vulnerabilities associated with the specified domain.

Business Impact: Ensuring that systems are not vulnerable to known exploited vulnerabilities from the CISA KEV catalog is crucial for maintaining a secure network environment. Detecting such vulnerabilities early can prevent potential data breaches, system compromises, and other security incidents that could lead to significant financial losses and reputational damage.

Risk Levels:

  • Critical: The scanner identifies CVEs directly linked to exploited vulnerabilities in the CISA KEV catalog. This is highly critical as it indicates a direct risk of active exploitation.
  • High: Indicators for malware, ransomware, trojans, or command and control activities suggest high risk due to potential malicious activity targeting the domain.
  • Medium: Phishing mentions or credential harvesting could lead to unauthorized access or data breaches, posing medium risk. Exposure indicators might not be directly exploitative but still indicate significant security concerns.
  • Low: Informational findings such as exposed data or leaked information are less severe but should still be addressed for overall network hygiene and compliance with security standards.
  • Info: These include any minor findings that do not significantly impact the system’s security posture but can be useful for ongoing monitoring and improvement.

Example Findings:

  1. The scanner identifies a CVE associated with a known exploited vulnerability from the CISA KEV catalog, indicating a critical risk of immediate exploitation.
  2. Detection of malware or ransomware activity on systems linked to the domain suggests a high-risk scenario where unauthorized access and data compromise are possible.