Initial Access Intelligence

IP Intelligence

VulnCheck Initial Access Intelligence includes tracking of potentially vulnerable systems that may be targeted by initial access exploits as well as tracking of command & control (C2) attacker infrastructure.

VulnCheck Initial Acess Intelligence includes tracking of potentially vulnerable systems that may be targeted by initial access exploits as well as tracking of command & control (C2) attacker infrastructure.

Detection Types

Command & Control (C2) Attacker Infrastructure

VulnCheck fingerprints dozens of Command and Control (C2) attacker infrastructure types, including Havoc, Sliver, Meterpreter, etc. VulnCheck leverages these fingerprints alongside existing Internet infrastructure mapping technologies (like Shodan or Censys) as well as VulnCheck developed scanners, to maintain a list of known bad IP addresses.

VulnCheck's C2 denylists, which maintain an index of live Command and Control (C2) infrastructure, may be easily imported into commercial TIPs and threat intelligence workflows, to immediately begin denylisting communications with known C2 infrastructure.

Potentially Vulnerable Systems

For vulnerabilities VulnCheck has developed detection artifacts for, VulnCheck measures their potential exposure on the open Internet.

VulnCheck leverages both publicly available systems for measuring exposure (e.g., Shodan) as well as VulnCheck scan infrastructure tailored to the vulnerability. For example, in the case of PaperCut, VulnCheck would measure the exposure using Shodan search queries that may uniquely identify potentially vulnerable systems. Whereas in the case of the Cisco IOS XE vulnerability, VulnCheck would measure the exposure using VulnCheck authored scanners focused on detecting already-compromised implanted devices.

API Query Parameters

VulnCheck Initial Access Intelligence makes it easy to query our IP Intelligence data set with a number of API query parameters, useful for filtering the results. Supported API query parameters are as follows:

Query ParameterDescription
asnFilter based on ASN: e.g., "AS719"
cidrFilter based on IP address or range: e.g., "165.227.231.125"
countryFilter based on country_code: e.g., "Australia"
country_codeFilter based on country_code: e.g., "AU"
idFilter based on supported detection types: e.g., "c2" or "initial-access"

Example API Queries

VulnCheck Initial Access Intelligence supports a wide range of use cases.

C2 Detections in Sweden

By combining two of the API query parameters (Country and ID) we can quickly zoom in one Command & Control (C2) detections in a given geography -- in this case, Sweden.

curl --request GET \
    --url https://api.vulncheck.com/v3/index/ipintel-3d?id=c2&country=Sweden \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

Offline Backups Available

Offline BackupDescription
ipintel-3dIP Intelligence detections for the past 3 days
ipintel-10dIP Intelligence detections for the past 10 days
ipintel-30dIP Intelligence detections for the past 30 days
ipintel-90dIP Intelligence detections for the past 90 days

To request a specific offline backup, simply call /v3/backup/:index as follows (ipintel-3d shown below):

curl --request GET \
    --url https://api.vulncheck.com/v3/backup/ipintel-3d \
    --header 'Accept: application/json' \
    --header 'Authorization: Bearer insert_token_here'

Request Coverage

To request coverage of a specific Initial Access Vulnerability, simply contact VulnCheck support.

Tags API

VulnCheck Initial Access Intelligence includes a Tags API endpoint that returns a list of IP addresses associated with a given tag.