Vulnerability Enrichment
VulnCheck Vulnerability Intelligence service provides vulnerability generation and enrichment services that are then incorporated into VulnCheck's Exploit exploits and Vulnerability Intelligence vulncheck-nvd and vulncheck-nvd2 services.
Vulnerability Enrichment and Generation Services Include:
- Botnet Attribution
- CAPEC
- CPE (Common Platform Enumeration)
- CWE (Common Weakness Enumeration)
- CVSS-BT (Common Vulnerability Scoring System Base / Temporal Scoring)
- CVSS V4 (Common Vulnerability Scoring System)
- Exploit Chains
- Known Exploited Vulnerabilities
- Mitre ATT&CK Mappings
- Ransomware Attribution
- References
- Threat Actor Attribution
- Vulnerability Categorizations
- Vulnerability Status
Botnet Attribution
The VulnCheck Botnets index contains data related to various botnets. The index contains listings of botnets and citations for the CVE they have been known to use.
Download the Botnets index
The VulnCheck API makes it easy to download VulnCheck Vulnerability Intelligence. To start, simply query the botnets backup via the /v3/backup/botnets API as follows:
curl --request GET \
--url https://api.vulncheck.com/v3/backup/botnet \
--header 'Accept: application/json' \
--header 'Authorization: Bearer insert_token_here'
Access Individual Botnet Records
The VulnCheck API makes it easy to get started with VulnCheck Exploit & Vulnerability Intelligence. To start, simply query the botnets index via the /v3/index/botnets?botnet=:botnet API as follows:
curl --request GET \
--url https://api.vulncheck.com/v3/index/botnets?botnet=Fbot \
--header 'Accept: application/json' \
--header 'Authorization: Bearer insert_token_here'
The above example searches the botnets index for information on Fbot.
Example API Response for Individual Botnet Records
After calling the /v3/index/botnets?botnet=Fbot API endpoint with a valid botnet name (such as Fbot), data similar to the below will be returned:
"data": [
{
"botnet_name": "Fbot",
"date_added": "2019-02-20T00:00:00Z",
"malpedia_url": "https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot",
"cve_references": [
{
"url": "https://www.trendmicro.com/vinfo/fr/security/news/internet-of-things/mirai-updates-new-variant-mukashi-targets-nas-devices-new-vulnerability-exploited-in-gpon-routers-upx-packed-fbot",
"date_added": "2020-03-25",
"cve": [
"CVE-2016-20016",
"CVE-2017-17215"
]
},
{
"url": "https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/",
"date_added": "2021-03-03",
"cve": [
"CVE-2020-9020"
]
},
{
"url": "https://blog.netlab.360.com/the-new-developments-of-the-fbot-en/",
"date_added": "2019-02-20",
"cve": [
"CVE-2022-45045"
]
},
{
"url": "https://blogs.juniper.net/en-us/threat-research/realtek-cve-2021-35394-exploited-in-the-wild",
"date_added": "2021-08-27",
"cve": [
"CVE-2021-35394"
]
}
],
"cve": [
"CVE-2016-20016",
"CVE-2017-17215",
"CVE-2020-9020",
"CVE-2022-45045",
"CVE-2021-35394"
],
"_timestamp": "2024-01-29T21:21:48.319162Z"
}
]
}
The above example response shows what the
botnetsindex returns forFbot.
CAPEC (Common Attack Pattern Enumeration and Classification)
VulnCheck generates CAPEC Attack Patterns which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
Example CAPEC Attack Pattern
"relatedAttackPatterns": [
{
"lang": "en",
"capec_id": "CAPEC-100",
"capec_name": "Overflow Buffers",
"capec_url": "https://capec.mitre.org/data/definitions/100.html"
}
]
The above example shows CAPEC data that the
vulncheck-nvd2index returns forCVE-2024-21762.
CPE (Common Platform Enumeration)
VulnCheck generates CPE for CVEs which can be accessed on the cve record in nist-nvd, nist-nvd2, vulncheck-nvd, and vulncheck-nvd2.
For more details on using VulnCheck generated CPE, see CPE Generation.
CWE (Common Weakness Enumeration)
VulnCheck generates and collects CWE from multiple sources for CVEs which can be accessed on the cve record in vulncheck-nvdand vulncheck-nvd2.
CVSS-BT (Common Vulnerability Scoring System Base / Temporal Scoring)
VulnCheck generates CVSS Threat and Temporal scores for CVSS V2, V3, V3.1 and V4 using VulnCheck's Exploit Intelligence for CVEs which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
Example CVSS Temporal Score
"temporalCVSSV31": {
"version": "3.1",
"vectorString": "E:H/RL:X/RC:C",
"exploitCodeMaturity": "HIGH",
"remediationLevel": "NOT_DEFINED",
"reportConfidence": "CONFIRMED",
"temporalScore": 9.8,
"associatedBaseMetricV3": {
"source": "nvd@nist.gov",
"type": "Primary",
"baseScore": 9.8
The above example shows CVSS Temporal data that the
vulncheck-nvd2index returns forCVE-2024-21762.
CVSS V4 (Common Vulnerability Scoring System)
VulnCheck collects CVSS V4 scores from multiple sources for CVEs which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
Example CVSS V4 Score
"cvssMetricV40": [
{
"source": "MITRE-CVE: cisa-cg",
"type": "Secondary",
"cvssData": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"threatCVSSV40Secondary": [
{
"exploitMaturity": "ATTACKED",
"associatedBaseMetricV40": {
"source": "MITRE-CVE: cisa-cg",
"type": "Secondary",
"baseScore": 8.7
}
}
Exploit Chains
VulnCheck identifies exploit chains from multiple sources which can be accessed on the cve record in exploit-chains.
Known Exploited Vulnerabilities
VulnCheck identifies known exploited vulnerabilities from hundreds of sources which can be accessed on the cve record in exploits and vulncheck-kev.
MITRE ATT&CK Mappings
VulnCheck generates Mitre Att&ck Mappings which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2.
Example MITRE ATT&CK Mapping
"mitreAttackTechniques": [
{
"id": "T0819",
"url": "https://attack.mitre.org/techniques/T0819",
"name": "Exploit Public-Facing Application",
"domain": "ICS",
"tactics": [
"initial-access"
],
"subtechnique": false
},
{
"id": "T0866",
"url": "https://attack.mitre.org/techniques/T0866",
"name": "Exploitation of Remote Services",
"domain": "ICS",
"tactics": [
"initial-access",
"lateral-movement"
],
"subtechnique": false
}
]
The above example shows MITRE ATT&CK data that the
vulncheck-nvd2index returns when mappings are available.
Ransomware Attribution
The VulnCheck ransomware index contains data related to ransomware. The index contains listings of ransomware and citations for the CVE they have been known to use.
Example API Response for Individual Ransomware Records
"ransomware_family": "Cactus",
"malpedia_url": "https://malpedia.caad.fkie.fraunhofer.de/details/win.cactus",
"cve_references": [
{
"url": "https://www.arcticwolf.com/resources/blog/qlik-sense-exploited-in-cactus-ransomware-campaign/",
"date_added": "2023-11-28",
"cve": [
"CVE-2023-41266",
"CVE-2023-48365"
]
},
{
"url": "https://blog.fox-it.com/2024/04/25/sifting-through-the-spines-identifying-potential-cactus-ransomware-victims/",
"date_added": "2024-04-25",
"cve": [
"CVE-2023-41266",
"CVE-2023-41265"
]
}
// ...
],
"cve": [
"CVE-2023-41266",
"CVE-2023-48365"
References
VulnCheck collects references from hundreds of sources across the world for CVEs which can be accessed on the cve record in vulncheck-nvd1 and vulncheck-nvd2. We also provide many of the reference sources as indices which you can browse.
Threat Actor Attribution
VulnCheck tracks hundreds of named threat actors who have been reported to exploit specific vulnerabilities in the wild. The VulnCheck threat-actors index contains data related to various threat actors and cve counts for threat actors, is incorporated into the exploits index. The index contains listings of threat actors and citations for the CVE they have been known to use.
VulnCheck tracks Advanced Persistent Threat (APT), named Threat Actors, ransomware groups, botnets, and other adversaries. We track a wide variety of named threat actors, including Threat Actors from Russia & China, as well as Threat Actors who have been reported to target Industrial Control Systems & Operational Technology (ICS/OT). VulnCheck collects Threat Actor information from a wide variety of sources and then assembles this disparate information into the industry’s most easily consumable exploit intelligence offering, VulnCheck Exploit & Vulnerability Intelligence.
With VulnCheck Exploit & Vulnerability Intelligence, threat actors can easily be looked up by a wide variety of names and naming schemes.
In the Cybersecurity industry there exists many different naming schemes for Threat Actors. Each Cybersecurity vendor tends to name Threat Actors using their own methodologies, which makes correlating Threat Actor behaviors more challenging. At VulnCheck, we support researching Threat Actors using a wide variety of options.
MITRE ATT&CK Group Names
Many organizations rely on MITRE Attack Group names for Threat Actors. VulnCheck Exploit & Vulnerability Intelligence includes the MITRE Attack Group name, as well as the aliases, as shown below:
{
"name": "Dragonfly",
"aliases": [
"Dragonfly",
"TG-4192",
"Crouching Yeti",
"IRON LIBERTY",
"Energetic Bear"
]
}
MISP Threat Actor Names
Many other organizations rely on MISP Threat Actor names for correlating Threat Actor behaviors. VulnCheck Exploit Intelligence includes the MISP Threat Actor names (the value field below), as well as the aliases, shown below as synonyms:
{
"synonyms": [
"Dragonfly",
"Crouching Yeti",
"Group 24",
"Havex",
"CrouchingYeti",
"Koala Team",
"IRON LIBERTY"
],
"value": "Energetic Bear"
}
Cybersecurity Vendor Names
Some of the Cybersecurity vendors have their own naming schemes and make it straightforward to follow. In these cases, VulnCheck Exploit & Vulnerability Intelligence also includes the Threat Actor names used by the vendor. Three such naming schemes VulnCheck Exploit & Vulnerability Intelligence supports natively, are CrowdStrike, Dragos, Mandiant, & Microsoft naming systems.
"vendor_names_for_threat_actors": [
{
"vendor_name": "CrowdStrike",
"threat_actor_name": "Fancy Bear"
},
{
"vendor_name": "Mandiant",
"threat_actor_name": "APT28",
"url": "https://www.mandiant.com/resources/insights/apt-groups"
}
]
Regardless of what Threat Actor naming scheme your organization uses, VulnCheck Exploit & Vulnerability Intelligence makes it easy to find the Threat Actors you're looking for.
Vulnerability Categorizations
VulnCheck generates categorizations for CVEs which can be accessed on the cve record in vulncheck-nvd and vulncheck-nvd2. Categorizations include ICS/OT, IoMT, IoT, Mobile, Server Software, and more.
Example Vulnerability Categorization
"categorization": {
"tags": [
"ICS/OT",
"IoT"
]
Vulnerability Status
VulnCheck Exploit & Vulnerability Intelligence maintains a Vulnerability Status field in the header of vulnerability requests. The Vulnerability Status field helps distinguish between confirmed vulnerabilities and other vulnerabilities with a different status, such as disputed or rejected vulnerabilities.
Vulnerability Status Definitions
| Status | Meaning |
|---|---|
| Confirmed | The most common vulnerability status. Most vulnerabilities have a status of Confirmed. |
| Disputed | If a vulnerability is disputed, for whatever reason, a vulnerability has a status of Disputed. |
| Pending | CVEs that do not currently have a description live in NVD and are not set to another status, such as Reserved, are set to Pending. |
| Rejected | If a vulnerability has been rejected for whatever reason, it has a status of Rejected. |
| Reserved | CVEs that have been reserved in blocks by CVE Numbering Authorities (CNA), have a status of Reserved if they have not yet been published by NIST. |
| Unsupported | If the CVE, at the time of publication, has been reported in End of Life or otherwise unsupported software, the vulnerability status is set to Unsupported. |
| Unverifiable | If the vulnerability information is ambiguous and cannot be verified, the status is set to Unverifiable. |
The above table shows the currently available status' in the VulnCheck vulnerability status field.
Vulnerability Intelligence
Leverage the vulnerability intelligence features within VulnCheck Exploit & Vulnerability Intelligence to get the industry's fastest and most comprehensive vulnerability intelligence available and solve the vulnerability prioritization challenge today.
CPE Generation
VulnCheck generates fast and accurate CPE to help fill the gap left by NIST NVD
