Detection Artifacts
VulnCheck's Initial Access Intelligence product provides organizations with in-house developed exploit PoCs, packet captures (PCAP files), Suricata & Snort signatures to detect exploitation, YARA rules (when possible), CPE strings, version scanners, mapping to GreyNoise tags, and measuring Internet-level exposure of potentially vulnerable systems using Censys & Shodan. VulnCheck packages these detection artifacts for organizations to detect & respond.
Our detection artifacts enable organizations to respond to the latest vulnerabilities, likely to be involved in widespread attacks and data breaches, by implementing defensive measures and testing their security posture.
Detection Artifacts Included
Licensed subscribers of VulnCheck Initial Access Intelligence are able to download the following detection artifacts for covered vulnerabilities:
| Detection Artifact | Description |
|---|---|
| Exploit PoC | In-house developed Exploit PoC designed to test whether devices or applications are actually vulnerable |
| Version Scanner | A version scanner, wired into the Exploit PoC, designed to assess whether systems are vulnerable based on a version, without sending exploit payload |
| Packet Capture (PCAP) | A packet capture (PCAP) of the Exploit PoC exploiting a vulnerable system |
| Suricata Rule | A Suricata rule designed to detect the exploitation of the vulnerability over the network |
| Snort Rule | A Snort rule designed to detect the exploitation of the vulnerability over the network |
| YARA Rule | A YARA rule designed to detect the exploit on an endpoint |
| Nmap Scripts | An Nmap script for scanning environment using the widely used Nmap network scanner |
| Target Docker | A docker-compose or Dockerfile containing the vulnerable service for testing |
Metadata Available
In addition to the above detection artifacts (files), VulnCheck Initial Access includes metadata about the potential exposure of the vulnerability. Organizations on the VulnCheck platform, regardless of whether they have purchased VulnCheck Initial Access Intelligence or not, may access the following metadata from VulnCheck Initial Access Intelligence.
| Metadata | Description |
|---|---|
| Included in KEV | Whether the Vulnerability is currently in the CISA KEV list or not |
| CPE | Common Platform Enumeration (CPE) strings of potentially vulnerable systems |
| Vendor | Vendor associated with target of the detection artifacts |
| Products | Product(s) associated with the target of the detection artifacts |
| Date Added | The date the detection artifacts were first made available |
| Artifact Description | A name or description of the detection artifact collection |
| Censys Queries | Example Censys queries for examining potential Internet-exposed devices & applications |
| Shodan Queries | Example Shodan queries for examining potential Internet-exposed devices & applications |
| GreyNoise Queries | Example GreyNoise queries for finding the vulnerability via honeypot data |
Coverage Strategy
The VulnCheck Initial Access Intelligence product covers a limited subset of known vulnerabilities, those vulnerabilities likely to become widely exploited in the future.
Example Initial Access Artifacts
VulnCheck Initial Access Intelligence example record for PaperCut (CVE-2023-27350)
